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We  introduce  three  models  of  probabilistic  processes,  namely,  reactive,  generative  and  stratified. 
These  models  are  investigated  within  the  context  of  PCCS,  an  extension  of  Milner  s  SCCS  m 
which  each  summand  of  a  process  summation  expression  is  guarded  by  a  probability  and  the 
sum  of  these  probabilities  is  1.  For  each  model  we  present  a  structural  operational  sem^tics  o 
PCCS  and  a  notion  of  bisimulation  equivalence  which  we  prove  to  be  a  congruence.  We  also  show 
that  the  models  form  a  hierarchy:  the  reactive  model  is  derivable  firorn  the  generative  mo  e 
by  abstraction  from  the  relative  probabilities  of  different  actions,  and  the  generative  mo  e 
is  derivable  from  the  stratified  model  by  abstraction  from  the  purely  probabilistic  branching 
structure.  Moreover  the  classical  nonprobabilistic  model  is  derivable  from  each  of  these  models 
by  abstraction  from  all  probabilities. 


1  Introduction 

In  the  reactive  model  [Pnu85]  of  classical  concurrency  theory,  a  process  reacts  stimuli  Presented 
by  its  environment.  A  mechanistic  view  of  the  reactive  model  has  been  given  by  Milner  [Mil80] 
in  terms  of  button  pushing  experiments.  -The  environment  or  observer  experiments  on  a  process 
by  attempting  to  depress  one  of  several  buttons  that  the  process  possesses  as  its  interface  to  the 
outside  world.  The  experiment  succeeds  if  the  button  is  unlocked  and  therefore  goes  down;  otherwise 

*T^psGarch  suDDorted  in  part  by  ONR  Grant  N00014-92-J-1974. 

tResearch  supported  in  part  by  NSF  Grants  CCR-8704309,  CCR-9120995,  and  CCR-9208585;  and  AFOSR  Grant 
F49620-93-1-0250. 
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Figure  1:  Reactive  process  P  and  generative  process  Q. 

the  experiment  fails.  In  response  to  a  successful  experiment,  the  process  makes  an  internal  state 
transition  and  is  then  ready  for  further  experimentation. 

The  reactive  model  has  been  adopted  by  Larsen  and  Skou  [LS91]  for  probabilistic  processes : 
a  button-pressing  experiment  succeeds,  with  probability  1,  or  else  fails.  If  successful,  the  pro¬ 
cess  makes  an  internal  state  transition  according  to  a  probability  distribution  associated  with  the 
depressed  button  and  the  current  state  of  the  process. 

In  the  probabilistic  case,  it  is  interesting  to  consider  a  more  “probabilistic”  form  of  experimen¬ 
tation  we  call  the  generative  model.  In  this  setting,  an  observer  may  attempt  to  depress  more  than 
one  button  at  a  time.  Now  the  process  is  more  or  less  on  equal  footing  with  its  environment,  and 
will  decide,  according  to  a  prescribed  probability  distribution,  which  button  if  any  will  go  down.  In 
response  to  a  successful  outcome,  this  same  probability  distribution,  conditioned  by  the  process’s 
choice  of  button,  will  govern  the  internal  state  transition  made  by  the  process. 

For  example,  consider  the  reactive  process  P  and  the  generative  process  Q  given  by: 

P  =  +  ^a .  {a  +  b)  +  b .  c  Q  =  ^a  +  ^a .  (^a  +  ^b)  -I-  56 .  c 

P  and  Q  have  as  semantics  the  probabilistic  labeled  transition  systems  depicted  in  Figure  1.  For  P, 
an  a-  or  6-experiment  will  succeed  with  probability  1,  whereas  a  c-experiment  will  fail.  In  the  case 
of  an  a-experiment,  P  will  branch  left  with  probability  \  and  right  with  probability  |.  Note  that 
no  information  is  given  about  the  relative  probability  of  performing  an  a-action  versus  a  6-action 
in  P’s  initial  state. 

For  the  generative  process  Q,  if  the  observer  simultaneously  attempts  to  depress  the  a  and  6 
buttons,  Q  will  unlock  its  a-button  with  probability  |  and  its  6-button  with  probability  5.  In  the 
former  case,  Q  will  branch  left  with  probability  \  and  right  with  probability  |,  which  is  precisely 
P’s  reaction  to  an  a-experiment.  In  fact,  for  any  single-button  experiment,  P  and  Q  behave  the 
same.  Thus  Q  contains  strictly  more  information  than  P,  and,  in  a  broader  sense,  the  reactive 
model  is  an  abstraction  of  the  generative  model. 

In  this  paper  we  also  consider  the  stratified  model  of  probabilistic  processes,  which  captures  the 
branching  structure  of  the  purely  probabilistic  choices  made  by  a  process.  For  example,  consider 
an  operating  system  in  which  there  are  n  processes  to  be  multiprogrammed.  One  of  these  is  the 
garbage  collector  which  performs  optimally  if  given  one  third  of  the  CPU  cycles.  The  other  n  -  1 
processes  are  user  processes  and  should  equally  share  the  remaining  two  thirds  of  the  CPU.  For  the 
case  n  =  3,  a  plausible  specification  of  a  scheduler  for  these  processes  would  be 

Sc  =  fixxi^a.X  +  Ib.X  -1-  ic.X) 
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Figure  2:  Stratified  and  generative  transition  systems  of  Sd. 

where  the  action  a  identifies  the  garbage  collector,  and  b  and  c  the  user  processes.  But  consider 
the  restriction  context  in  which  user  c  is  denied  further  access  to  the  machine.  What  would  happen 
to  its  share  of  the  CPU?  Because  of  the  symmetry  in  the  above  specification,  we  would  naturally 
arrive  at  the  expression 

fixx{\a.X+\b.X) 

Now,  however,  the  garbage  collector  is  granted  one  half  of  the  CPU  which  is  different  from  our 
original  intent.  An  exact  specification  of  the  scheduler  can  be  obtained  through  the  use  of  nested 
expressions  of  probabilistic  choice: 

Sc'  =  fixxila.X  +  li^b.X  +  ic.X)) 

which,  in  the  stratified  model,  yields  the  leftmost  probabilistic  labeled  transition  system  of  Figure  2. 
If  user  c  were  now  denied  access  we  would  obtain 

fixx{la.X  +  lb.X) 

as  desired.  Thus,  in  the  stratified  model,  the  intended  relative  frequencies  are  preserved  in  a 
level-wise  fashion  in  the  presence  of  restriction. 

Note  that  the  probabilistic  labeled  transition  system  of  Sc'  in  the  generative  model  is  simply 
the  right  one  of  Figure  2.  Thus,  in  the  generative  model.  Sc  is  (unfortunately)  equivalent  to  Sd. 
We  shall  see  that,  in  a  broader  sense,  the  generative  model  is  an  abstraction  of  the  stratified  model, 
in  which  the  branching  structure  of  probabilistic  choices  has  been  “flattened.” 

The  extremal  case  of  nested  probabilistic  choice  in  the  stratified  model,  in  which  zero  probabil¬ 
ities  are  permitted,  yields  a  general  notion  of  process  priority.  For  example,  the  expression 

IP  0(1(5  +  OP) 

gives  priority  to  process  P  over  Q  and  R,  and  priority  to  Q  over  R.  Thus  process  R  can  only  be 
executed  in  a  restriction  context  that  excludes  P  and  Q.  Zero  probabilities  are  not  considered  in 
this  paper,  but  their  role  in  modeling  priority  is  examined  carefully  in  [SS90]. 


Summary  of  Technical  Results 

We  will  be  working  within  the  framework  of  PCCS,  a  specification  language  for  probabilistic  pro¬ 
cesses  introduced  in  [GJS90].  PCCS  is  derived  from  Milner’s  SCCS  [Mil83]  by  replacing  the  operator 
of  nondeterministic  process  summation  with  a  probabilistic  counterpart.  Several  PCCS  expressions 
have  appeared  above,  which  should  give  the  flavor  of  the  language. 
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For  each  of  the  three  probabilistic  models,  and,  for  comparison  purposes,  the  classical  nonprob- 
abilistic  model,  we  present  the  following: 

•  a  structural  operational  semantics  of  PCCS,  given  as  a  set  of  inference  rules  in  the  style 
of  Plotkin  [PI08I]  and  Milner  [Mil89].  For  each  model,  these  inference  rules  determine  a 
semantic  mapping  from  the  set  of  PCCS  expressions  to  a  particular  domain  of  probabhistic 
labeled  transition  systems.  We  denote  these  mappings  as  cpN,  <PR,  and  tps,  respectively. 
(As  discussed  in  Section  4,  the  relabeling  operator  of  PCCS  is  not  compatible  with  the 
reactive  model,  and  also  the  combination  of  summation  and  unguarded  recursion  may  be 
problematic.  Therefore,  (fn  applies  only  to  a  sublanguage  PCCS/j  of  PCCS  m  which  relabeling 
and  unguarded  recursion  are  excluded.) 

.  a  notion  of  bisimulation  semantics.  In  [LS91],  Larsen  and  Skou  introduced  probabilistic  bisim¬ 
ulation,  a  natural  and  elegant  extension  of  strong  bisimulation  [Par81,  Mil83]  for  reactive  pro¬ 
cesses.  We  likewise  define  probabilistic  bisimulation  on  generative  and  stratif^d  processes. 
In  each  model,  the  largest  bisimulation  (under  set  inclusion),  denoted  ~,  and  re¬ 

spectively,  determines  the  model’s  bisimulation  semantics. 

•  We  prove  that  ~  is  a  congruence  with  respect  to  FCCSr,  and  ~,  ~  and  ~  are  congruences 
with  respect  to  PCCS. 


We  then  inter-relate  the  models,  ultimately  showing  that  they  form  a  hierarchy:  the  generative 
model  is  an  abstraction  of  the  stratified  model,  the  reactive  model  is  an  abstraction  of  the  generative 
model,  and  the  nonprobabilistic  model  is  an  abstraction  of  the  reactive  model.  This  reflects  the 
stepwise  reduction  of  “observational  power”;  i.e.  starting  from  the  stratified  model,  we  first  abstract 
from  the  probabilistic  branching  structure,  then  from  the  relative  probabilities  among  different 
actions,  and  finally  from  all  probabilities.  We  proceed  as  follows: 

•  We  add  to  the  stratified,  generative  and  reactive  operational  semantics  inter-model  abstraction 
rules,  which  respectively  allow  the  inference  of  generative  probabilistic  transitions  from  strat¬ 
ified  ones,  reactive  probabilistic  transitions  from  generative  ones,  and  nonprobabilistic  tran¬ 
sitions  from  reactive  ones.  These  rules  determine  mappings  between  domains  of  probabilistic 
labeled  transition  systems,  which  axe  denoted  as  ipsG,  <PGR  and  <prn,  respectively.  Similarly 
we  define  “shortcuts”  ipsR,  ^gn  and  (fsN,  and  establish  <pgn  °  <fSG  =  ^RN  °  ^SR  =  ^SN, 
<PRN  °  ^GR  =  ‘fGN  and  g>GR  °  <fiSG  =  9sr-  The  last  result  however  only  holds  for  strat¬ 
ified  transition  systems  specified  by  closed  PCCS  expressions  in  which  each  summation  is 
probability-  and  action-guarded.  We  refer  to  such  expressions  as  summation- guarded  PCCS 
expressions. 


We  obtain  the  following  inter-model  abstraction  results. 


For  any  two  stratified  transition  systems  G  and  H: 
For  any  two  generative  transition  systems  G  and  H 
For  any  two  reactive  transition  systems  G  and  H: 
For  any  two  stratified  transition  systems  G  and  H: 


<fSGiG)  ~  ipsoiH) 

G^H 

^gr{G)  ~  <pgr{H) 

G~H 

=!> 

^rn{G)  ~  iprn{H) 

G^H 

^sr{G)  ~  (Psr{H) 

Note  that  our  last  abstraction  result  holds  for  all  stratified  transition  systems  and  is  there¬ 
fore  not  directly  obtainable  from  the  first  two  via  the  (psR  shortcut  (which  applies  only  to 
summation-guarded  stratified  transition  systems). 
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Figure  3:  Interdependencies  between  the  models. 


•  For  P  a  closed  PCCS  expression  we  prove  the  following  commutativity  results,  which,  in 
addition  to  the  abstraction  results,  establish  the  hierarchy  among  the  models. 


<Pg{P)  =  ^sai^PsiP)) 
Pr{P)  =  Pgr{<Pg{P)) 
Pr{P)  =  PBRiPsiP)) 
P>n{P)  =  PRNiPRiP)) 
(Pn{P)  =  PswifsiP)) 


if  P  is  summation- guarded  or  restriction-free 
if  P  is  a  summation-guarded  PCCSr  expression 
if  P  is  a  PCCS/j  expression 
if  P  is  a  PCCSr  expression 
=  Pgn{pg{P)) 


In  the  presence  of  restriction  and  general  summation  the  first  commutativity  result  does  not 
hold.  This  is  to  be  expected,  as  the  stratified  model  is  motivated  by  its  different  treatment 
of  restriction  with  respect  to  nested  summations.  Additionally,  we  show  that  the  second 
commutativity  result  does  not  hold  in  the  presence  of  general  summation.  In  fact,  our  coun¬ 
terexample  suggests  that  the  reactive  summation  has  a  stratified  flavor  that  is  not  present 
in  the  generative  case.  This  impression  is  supported  by  the  third  commutativity  result,  that 
holds  without  restrictions  on  summation  or  restriction.  It  is  not  possible  to  define  in  a  compo¬ 
sitional  way  a  more  generatively  flavored  summation  in  the  reactive  model,  that  would  allow 
a  generalization  of  the  second  commutativity  result. 

•  We  then  show  that  the  equivalence  induced  on  the  stratified  (generative)  model  via  abstrac¬ 
tion  to  the  generative  (reactive)  model  is  not  a  congruence  with  respect  to  PCCS.  This 
demonstrates  the  need  for  refining  the  bisimulation  semantics  when  moving  to  a  less  abstract 
model.  More  precisely,  we  exhibit  a  pair  of  PCCS  processes  P ,  Q  and  a  context  C[  ]  such  that 


PSGipsiP))  ~  PSGiPsiQ))  and  ipsG{ps{C[P]))  ^  Psg{<Ps{C[Q])) 

Similarly  for  the  generative-to-reactive  and  stratified-to-reactive  abstractions. 

•  On  the  other  hand,  the  equivalence  induced  on  the  stratified  model  via  abstraction  to  the 
reactive  model  is  a  congruence  with  respect  to  PCCSr.  Likewise,  the  equivalences  induced 
on  the  stratified  and  generative  models  via  abstraction  to  the  nonprobabilistic  model  are 
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congruences  with  respect  to  PCCS;  and  the  equivalence  induced  on  the  reactive  model  via 
abstraction  to  the  nonprobabilistic  model  is  a  congruence  with  respect  to  PCCSr.  These  con¬ 
gruence  results  can  be  seen  cis  consequences  of  the  fact  that  the  corresponding  commutativity 

R  G  S 

results  hold  without  side  conditions,  and  that  and  ~  are  congruences. 

The  interdependencies  between  the  different  models  are  summarized  in  Figure  3.  Here  the  upper 
part  reflects  the  commutativity  results,  the  double  arrows  below  reflect  the  abstraction  results,  and 
the  dashed  arrows  indicate  the  bisimulations  that  are  induced  on  the  stratified,  generative,  and  re¬ 
active  models  via  abstraction  to  the  generative,  reactive,  and  nonprobabilistic  models,  respectively. 

We  conclude  the  paper  with  an  interesting  open  problem  concerning  an  equivalence  relation  ^ 

G  S 

{mixed  bisimulation)  that,  in  terms  of  its  distinguishing  strength,  falls  strictly  between  ^  and 
and  is  still  a  congruence  in  the  stratified  model.  We  conjecture  that  ~  is  the  largest  congruence 
contained  in 

Related  Work 

This  paper  is  an  extended  version  of  [vGSST90],  which  was  written  in  cooperation  with  Chris  Tofts. 
The  main  contributions  of  the  current  paper  and  [vGSST90]  are: 

-  The  reactive  operational  semantics  of  summation-guarded  PCCS/j  was  first  given  in  [vGSST90]. 
The  reactive  semantics  of  general  summation,  not  present  in  [vGSST90],  was  developed  in  [LS92]. 
The  generative  operational  semantics  of  PCCS  stems  from  [GJS90]. 

-  The  stratified  model  and  its  operational  and  bisimulation  semantics  first  appeared  in  [vGSST90]. 

-  All  congruence  results  and  the  interrelations  between  the  various  models  were  indicated,  in  part, 
in  [vGSST90].  Their  detailed  proofs  are  given  here  for  the  first  time. 

Pointers  to  earlier,  mostly  logic-oriented  approaches  to  probabilistic  processes  (e.g.  probabilis¬ 
tic  temporal  and  dynamic  logic)  can  be  found  in  [GJS90].  Recent  work  on  probabilistic  pro¬ 
cess  algebra  includes  [LS92]  (in  a  reactive  setting),  [JS90,  JL91,  BBS92]  (in  a  generative  setting) 
and  [SS90,  Tof90b]  (in  a  stratified  setting).  All  these  papers  consider  probabilistic  bisimulation, 
except  for  [JS90],  where  also  probabilistic  versions  of  trace,  failure  and  readiness  equivalences 
and  congruences  are  studied.  The  interplay  between  time  and  probability  has  been  investigated 
in  [HJ90,  Low91]. 

Larsen  and  Skou  [LS91]  have  examined  the  reactive  model  in  the  setting  of  testing.  They 
exhibit  a  testing  algorithm  that,  with  probability  1  —  e,  where  e  is  arbitrarily  small,  can  distinguish 
processes  that  are  not  probabilistically  bisimilar.  Bloom  and  Meyer  [BM89]  further  show  that  if 
nondeterministic  bounded-branching  processes  P  and  Q  are  bisimilar,  then  there  is  an  assignment 
of  probabilities  to  the  edges  of  P  and  Q,  yielding  reactive  processes  P'  and  Q'  such  that  P'  and  Q' 
are  probabilistically  bisimilar. 

Christoff  [Chr90]  also  considers  the  testing  of  probabilistic  processes.  He  proposes  three  prob¬ 
abilistic  trace-based  testing  equivalences  for  generative  processes  using  nondeterministic  tests. 
Cleaveland  et  al.  [CSZ92]  investigate  the  testing  of  generative  processes  as  well  (but  with  generative 
tests);  close  connections  to  the  classical  testing  theory  of  De  Nicola  and  Hennessy  are  demonstrated. 
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Similar  connections  are  made  by  Yi  and  Larsen  in  [YL92]  for  a  model  of  probabilistic  processes 
based  on  [HJ90]. 

Jones  and  Plotkin  [JP89]  investigate  a  probabilistic  powerdomain  of  evaluations,  which  they  use 
to  give  the  semantics  of  a  language  with  a  probabilistic  parallel  construct.  Finally,  Seidel  [Sei92] 
uses  conditional  probability  measures  to  give  a  semantics  to  a  probabihstic  extension  of  CSP. 

2  Syntax  of  PCCS 

As  in  sees,  the  atomic  actions  of  PeeS  form  a  multiplicative  structure  {Act,  •)  that  is  generated 
freely  from  the  set  A  of  particulate  actions.  Unlike  SeeS,  where  Act  is  an  abelian  monoid,  we 
assume  neither  commutativity  nor  associativity  for  action  product  (•).  Thus  all  elements  of  Act  are 
of  the  form  a  or  (a,  /?),  where  a  G  A  and  a, /3  e  Act.  One  can  think  of  the  atomic  action  (a,  /3)  as 
the  simultaneous  ordered  occurrence  of  actions  a  and  /?. 

As  discussed  in  Section  4,  the  free  structure  of  our  action  algebra  is  necessary  to  be  able  to 
define  synchronous  product  in  the  reactive  model.  For  any  SCCS-like  action  monoid  or  group,  the 
corresponding  synchronization  merge  can  be  expressed  in  our  calculus  by  a  combination  of  product 
and  relabeling.  For  example,  the  group  structure  of  SCCS  can  be  obtained  through  relabelings  of 
the  form  (a,  a)  i->  1  and  (a,  a)  1-4  1 ,  where  1  is  the  unit  or  idle  action  of  SCCS.  As  a  consequence 
relabeling,  which  is  a  derived  operator  in  SCCS  in  the  sense  that  it  can  be  expressed  in  terms  of 
the  other  operators,  has  to  be  introduced  as  a  first-class  operator  in  PCCS. 

Let  X  be  a  variable,  A  a  subset  of  Act,  and  f  :  Act Act.  The  syntax  of  PCCS  is  given  by: 

E:~0  \  X  \  a.E  \  H  \pi]Ei  where pi  G  (0, 1],  =  1  |  ExF  |  |  E[f]  \  fixxE 

*€/  »€/ 

Intuitively,  0  is  the  zero  process  having  no  transitions,  while  a.E  performs  action  a  with 
probability  1  and  then  behaves  like  E.  The  expression  X)[pi]  Ei  offers  a  probabilistic  choice  among 
its  constituent  behaviors  Ei.  ExF  represents  synchronized  product,  and  the  restricted  expression 
E  M  can  perform  actions  only  from  the  set  A.  Finally,  E[f]  specifies  a  relabeling  of  actions,  and 
fixxE  defines  a  recursive  process. 

A  PCCS  expression  is  guarded  if  in  its  syntactic  tree,  every  path  from  a  recursion  operator  fixx 
to  an  occurrence  of  the  corresponding  variable  X  passes  through  an  action  operator  a..  In  this  paper 
we  require  expressions  to  be  restriction- guarded,  a  much  weaker  requirement  that  ensures  that  the 
restriction  operators  in  the  generative  and  stratified  models  are  well-defined.  A  PCCS  expression 
is  restriction-guarded  if  in  its  syntactic  tree,  every  path  from  a  recursion  operator  fixx  to  an 
occurrence  of  the  corresponding  variable  X  either  passes  through  an  action  operator  a.,  or  doesn’t 
pass  through  a  restriction  operator.  This  excludes  expressions  like  fixx{\o,.X  +  \b-X  -f  5X  f{a}) 
but  permits  non-guarded  expressions  like  fixxiX[f]  -h  [a.X)  ['{&}).  We  write  E  G  PCCS  to  indicate 
that  is  a  restriction-guarded  PCCS  expression.  An  expression  having  no  free  variables  is  called 
a  process,  and  Pr  is  the  set  of  all  restriction-guarded  PCCS  processes. 

For  this  paper,  all  summation  expressions  are  required  to  be  finite.  It  will  be  convenient  to 
assume  that  all  indices  used  in  summation  expressions  come  from  a  given  set  Iq  not  containing  0. 
Also,  we  write  the  binary  version  of  process  summation  as  \p]E-\-[l—p]F,  assuming  an  index  set 
{1,2},  and  often  omit  the  square  brackets  around  the  probabilities. 
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E 


Ej  E',  3  el 

E  E\F  ^  F' 

E  E',  aeA 

E  E' 

E{fixxElX}  -A  E' 


XI  bi] 

a  , 

Ei  E' 

iei 

aP 

E  X  F  ■ 

- ^  E  X  F 

ElA  - 

A  E'U 

f{o.) 

E[f]  - 

AA  eV] 

fixxE  ■ 

— )■  E' 

Figure  4:  Nonprobabilistic  operational  semantics  of  PCCS. 


3  The  Nonprobabilistic  Model 

We  start  with  the  nonprobabilistic  model  of  PCCS  based  on  Milner’s  model  of  SCCS  [Mil83].  In 
this  model  all  probabilities  are  neglected  and  the  only  difference  between  PCCS  and  SCCS  is  the 
different  communication  format.  The  reasons  for  including  this  section  are  to  facilitate  coniparison 
between  the  probabilistic  models  and  the  classical  one,  and  to  present  some  proofs  pertaining  to 
classical  bisimulation  in  such  a  way  that  they  can  be  recycled  in  the  probabilistic  case. 


3.1  Nonprobabilistic  Operational  Semantics  of  PCCS 

The  nonprobabilistic  operational  semantics  of  PCCS  is  given  by  the  inference  rules  of  Figure  4. 
We  write  N  h  P  P'  or  just  P  P'  if  P  P'  can  be  derived  from  these  rules.  We  refer 
to  P  P'  as  a  transition  and  its  intuitive  meaning  is  that  P  can  perform  action  a  to  become 
P'.  The  rules  of  Figure  4  induce  a  mapping  from  Pf'  to  a  domain  of  nonprobabilistic  labeled 
transition  systems. 

Definition  1  A  (nonprobabilistic)  transition  system  is  a  triple  (S,T,I)  with 

-  S  a  set  of  states, 

-  T  C  5  X  Act  X  S  a  set  of  transitions, 

-  and  I  e  S  the  initial  state. 


In  a  transition  system  all  parts  that  are  not  reachable  from  the  root  as  well  as  the  identity  of  the 
states  are  often  considered  irrelevant.  Therefore  an  isomorphism  between  two  transition  systems 
can  be  defined  as  a  bijective  relation  between  their  reachable  states,  preserving  transitions  and  the 
initial  state.  Isomorphic  transition  systems  are  conceptually  identified.  Now  <Pn{P)  for  P  e  Pr 
is  defined  to  be  the  transition  system  (S,T,/)  with  5  =  Pr,  7  =  P  and  T  the  set  of  transitions 
{{P,a,P')\N\-P  -^P'}. 
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Let  Gn  be  the  domain  of  transition  systems  (or  process  graphs).  To  extend  the  mapping 
tpi^  :  Pr  ->  G]\r  to  an  interpretation  of  the  open  (restriction-guarded)  PCCS  expressions  in  Gn, 
let  PCCS-Gjv  be  the  language  PCCS  to  which  all  transition  systems  G  gGn  have  been  added  as 
constants.  We  introduce  an  operational  rule  G  G*  for  each  initial  transition  {I,  a,  s)  in  each 
transition  system  G  =  (5,T,  J).  Here  G^  denotes  the  transition  system  with  the  same  states  and 
transitions  as  G,  but  with  s  as  the  initial  state.  Let  (p'pf  be  the  extension  of  (pN  to  closed  PCCS-Ga? 
expressions.  Now  let  E  be  an  open  PCCS  expression  and  ^  a  valuation  of  the  free  variables  of 
E  in  Gn-  Then  denoting  by  E^  the  result  of  substituting  the  constant  ^(X)  for  X  in  E,  for  all 
occurrences  of  free  variables  X  in  allows  us  finally  to  define  pn{E){^) 

Note  that  the  extended  yjjv  in  particular  defines  an  interpretation  of  the  PCCS  operators  in 
Gn,  thereby  making  Gn  into  a  PCCS-algebra. 


3.2  Bisimulation 

In  this  section  we  reformulate  strong  bisimulation  [Mil83]  as  bisimulation  in  the  nonprobabilistic 
model,  which  we  explicitly  call  nonprobabilistic  bisimulation.  A  nonprobabilistic  bisimulation  will 
be  presented  as  an  equivalence  relation  over  Pr.  For  this  purpose  we  need  a  predicate  that  indicates 
whether  or  not  from  a  given  process  it  is  possible  to  reach  (a  member  of)  a  set  of  processes  by 
means  of  an  a-step.  Using  V  for  the  powerset  operator  we  have: 


Definition  2  The  function  pN  •  (-^r  x  Act  x  V{Pr))  >  {0,1}  is  given  by:  Va  G  Act,  VP  G 


Pr,  V5  C  Pr, 


Pn{P,  a,  S)  = 


( 


1 

0 


if3QeSwithP-^Q 

otherwise 


For  an  equivalence  relation  Tl  over  Pr,  we  write  Prill  to  denote  the  set  of  equivalence  classes 
induced  by  H,  and  [P\ti  to  denote  the  equivalence  class  of  which  P  is  a  member.  Nonprobabilistic 
bisimulation  can  now  be  defined  as  follows: 


Definition  3  An  equivalence  relation  11  C  Pr  xPr  is  a  nonprobabilistic  bisimulation  if  (P,  Q)  G  H 
implies:  VS”  G  Pr/H,  Vo  G  Act, 

Pn[P,  Oi,  S)  =  pn{Q,  Oi,  S) 

Two  processes  P,Q  £  Pr  are  nonprobabilistic  bisimulation  equivalent  (written  P  ^  Q)  if  there 
exists  a  nonprobabilistic  bisimulation  H  such  that  {P,Q)  G  P-  Two  open  PCCS  expressions 
E,F  e  PCCS  are  nonprobabilistic  bisimulation  equivalent  iff  they  are  nonprobabilistic  bisimulation 
equivalent  after  any  substitution  of  closed  terms  for  their  free  variables. 

This  definition  can  easily  be  transformed  into  a  definition  of  bisimulation  on  transition  systems 
(a  bisimulation  between  two  transition  systems  is  a  relation  on  the  disjoint  union  of  their  states), 

such  that,  for  E,F  e  PCCS,  P  ~  P  V  valuations  (Pn{E){0  ~  Tn{F){0- 

Proposition  1  If  Hi  {i  e  I)  is  a  collection  of  bisimulations,  then  also  their  reflexive  and  transitive 
closure  (UiPi)*  “  bisimulation. 
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Proof:  Since  each  of  the  relations  Ui  is  symmetric,  (Ui  TliY  is  also  symmetric,  and  hence  an 
equivalence  relation.  Now  suppose  {P,Q)  €  Then  there  are  Pj  {j  =  0, ...  ,n)  for  certain 

new,  such  that  P  =  Po,  Q  =  P„  and  (for  j  =  l,...,n)  (Pj-i,Pj)  €  Uk  for  certain  k  £  I. 
Suppose  S  e  Pr/{\Ji1li)*  and  a  €  Act.  Let  1  <  j  <  n  and  iPj-i,Pj)  €  TZk.  Since  S  is  the 
union  of  a  number  of  equivalence  classes  T  £  Pr/TZk  and  fjLN{Pj-i,  a,  T)  =  nj^{Pj,  a,  T)  for  any 
T  £  PrfTZk^  it  follows  that  fjLN{Pj-i,  o;,  S)  =  fi^iPj,  ot,  S).  This  is  true  for  all  j  =  1, . . .  ,n;  thus 
Hn{P-,  a,  S)  =  UNiQ,  o,  S).  Hence  is  a  bisimulation.  □ 

Corollary  2  (Equivalence)  Bisimulation  equivalence  is  an  equivalence  relation  on  Pr. 

Proof:  Prom  the  definition  of  ~  it  follows  that  on  Pr  we  have 

~  =  IJ  {  7?.  I  7^  is  nonprobabilistic  bisimulation  } 

Thus  by  Proposition  1,  ~  is  itself  a  bisimulation  and  hence  an  equivalence  relation.  □ 

It  is  not  difficult  to  see  that  a  nonprobabilistic  bisimulation  is  just  a  strong  bisimulation  [Mil83, 
Mil89]  that  happens  to  be  an  equivalence  relation.  Since  strong  bisimulation  equivalence,  defined 
as  the  union  of  all  strong  bisimulations,  is  an  equivalence  relation  itself  [Mil83,  Mil89],  this  is 
not  a  limiting  restriction  and  nonprobabilistic  bisimulation  equivalence  (being  the  union  of  all 
nonprobabilistic  bisimulations)  coincides  with  strong  bisimulation  equivalence. 

The  following  congruence  theorem  stems  from  Milner  [Mil83,  Mil89].  Our  proof  is  a  bit  different 
from  Milner’s  because  we  insist  that  bisimulations  should  be  equivalences  and  reason  in  terms  of 
the  function  hn  rather  than  using  the  underlying  transitions.  This  pays  off  when  we  add  the 
probabilities. 

In  the  proof  of  the  theorem,  we  lift  the  PCCS  operators  to  sets  of  expressions,  which  is  done  in 
the  natural  way.  For  example,  for  S  C  Pr,  A  C  Act,  5  f'A  designates  the  set  {P  M  |  P  €  5}. 

A  PCCS  context  is  defined  as  a  PCCS  expression  that  may  contain  a  special  constant  fi.  If 
C  is  a  PCCS  context  and  E  a  PCCS  expression,  then  C[E]  is  the  result  of  substituting  E  for  all 
occurrences  of  in  C,  and  Cl^]  (C  [^1 )  is  the  result  of  substituting  E  for  all  occurrences  of  Cl  in 
C  that  are  (not)  in  the  scope  of  an  operator  fixx-  Although  we  are  only  interested  m  contexts 
with  exactly  one  “hole”,  i.e.  one  occurrence  of  0,  it  is  technically  advantageous  (in  the  congruence 
proofs)  to  also  allow  contexts  without  holes  or  with  more  than  one  hole.  In  C[E],  though,  all  our 
holes  are  instantiated  with  the  same  expression  E.  The  set  of  all  restriction-guarded  PCCS  contexts 
is  denoted  PCCS[  ]. 


Theorem  3  (Congruence)  For  E,F  £  PCCS,  C  £  PCCS[  ]:  P  ~  P  implies  C[E]  C[F\ 

Proof:  The  case  of  open  PCCS  expressions  C[E],  C[P]  can  be  reduced  to  the  closed  case,  by 
considering  C[E],  C[F]  under  all  possible  substitutions.  Note  that  for  an  expression  C[E]  any 
variable  in  P  is  either  bound  within  P,  free  in  P  but  bound  within  C[P],  or  free  even  in  C\E\. 
Due  to  the  definition  of  bisimulation  equivalence  on  open  terms,  we  can  eliminate  from  further 
consideration  variables  of  the  last  kind,  as  well  as  free  variables  occurring  in  C.  Now,  adopting  the 
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convention  that  “C  €  PCCS[  ]*”  should  be  read  as  “C  e  PCCS[  ]  such  that  C[E],  C[F]  ^  ^  > 

it  is  enough  to  show  that  the  equivalence  (i.e.  reflexive,  symmetric,  and  transitive)  closure  11  ot 
I  ~  F,  C  €  PCCS[  ]*}  is  a  bisimulation.  This  can  be  established  by  showing 
that  for  all  (P,  Q)  e  11,  Se  Prill  and  a  €  Act, 

^,N{P,a,  S)  =  S) 


We  may  assume  (P,  Q)  ell',  because  the  extension  to  the  equivalence  closure  is  straightforward. 
Thus  we  have  to  show  that  for  all  F,  P  €  PCCS  with  F  ~  F, 

VC  e  PCCS[  ]*,  VS  e  Prin,  Va  €  Act,  /xiv(C[F],  a,  S)  =  Miv(C[F],  a,  S)  (1) 

We  proceed  by  induction  on  the  number  of  free  variables  in  F  and  F.  Let  E,F  e  PCCS  such  that 
F  ~  F,  and  suppose  (1)  is  established  for  pairs  F',  F’  €  PCCS  with  fewer  free  variables.  Then  it  is 
enough  to  establish  only  one  direction  of  (1),  with  <  substituted  for  =,  as  the  converse  direction, 
>,  follows  by  symmetry.  Write  iV  P  if  the  transition  P  P'  can  be  derived  by  a 

proof-tree  of  depth  n  or  less,  and  define  fipf  ■  ^  ^  PiFr))  >  {0, 1}  by. 


l4fiF  a,  S)  = 


1  if  3(5  €  S  with  iV  l-„  P  Q 
0  otherwise 


Now  /ijv(P,  a,  S)  =  li^fi^ifiP,  a,  S),  so  we  only  have  to  show  that  for  all  n  >  0, 

VC  €  PCCS[  ]*,  V5  G  Pr/n,  Va  G  Act,  m^(C[F],  a,  S)  <  /ijv(C[F],  a,  S)  (2) 


This  will  be  done  by  induction  to  n. 

The  case  n  =  0  is  trivial,  so  we  may  assume  (2)  for  a  certain  n  >  0.  In  proving  (2)  for  n  +  1 
we  distinguish  seven  cases,  depending  on  the  topmost  operator  (or  lack  thereof)  of  C.  Prom  here 
onwards  we  drop  the  subscripts  N. 


Empty  context:  We  have  to  show  that  for  all  S  €  Pr/ll  and  a  G  Act, 

/i"+i(F,  a,  S)  <  ii{F,  a,  S)  (3) 


^  is  contained  in  the  equivalence  relation  H.  Thus  S  is  the  disjoint  union  of  one  or  more 
T  G  Pr/  ~,  and  it  suffices  to  prove  (3)  for  these  T  instead  of  S.  This  follows  immediately 

from  E  ^  F: 

fF+^{E,  a,  T)  <  tx{E,  a,  T)  =  /x(F,  a,  T) 

Note  that  at  this  point  we  cannot  obtain  (2)  with  the  superscript  n  at  both  sides  of  the 
inequality. 

Action  prefixing:  We  have  to  show  that  for  all  C  G  PCCS[  ]*,  5  G  Prjll  and  ^  G  Act, 

iF^\a.C[E],  P,  S)  <  p(ci.C[F],  /?,  5)  (4) 


For  any  F  G  PCCS,  .  E,  /?,  S)  =  n{a .  F,  /?,  S) 


1  if  a  —  P  and  E  €  S 
0  otherwise 


Thus,  if  (X  ^  P  requirement  (4)  is  fulfilled  trivially,  and  if  o;  —  P  it  follows  since  C[F]  and  C[F] 
are  in  the  same  equivalence  class  S'  G  Prjll. 
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Summation:  We  have  to  show  that  for  all  Ci  €  PCCS[  ]*,  5  €  Pr/7^  and  a  G  Act, 


Ci[E],  a,  S)  <  m(EN Ci[F],  a,  S)  (5) 

iei  ie-f 

Indeed,  using  LHS  and  RHS  to  denote  the  left-  and  right-hand  sides  of  (5),  we  infer 

induction 

LHS  =  max(/i"(Ci[f?],  a,  S))  <  max(^(Ci[F],  a,  5))  =  RHS 

Product:  We  have  to  show  that  for  all  Ci  E  PCCS[  ]*  {i  =  1,2),  S  E  Pr/H.  and  7  E  Ad,, 

X  C2[E],  7,  S)  <  /i(Ci[P’]  X  C-2[FI  7,  S)  (6) 

Since  x  C2[E],  7,  5  -  (Pr  x  Pr))  =  0,  we  may  in  (6)  replace  S'  by  5  n  (Pr  x  Pr). 

By  the  definition  of  TZ  we  have  (Pi,  P2)  €  PA  (Qi,  Q2)  €  P  =»  (Pi  x  Qi,  P2  x  Q2)  E  P.  Hence 
STl  (Pr  X  Pr)  is  the  disjoint  union  of  a  collection  of  sets  of  the  form  Si  x  S2  with  Si ,  S2  £  Pr/P, 
and  it  suffices  to  prove  (6)  for  such  sets  Si  x  S2  instead  of  S  D  (Pr  x  Pr).  Moreover  we  may 
assume  that  7  is  of  the  form  (a,  /3),  since  otherwise  /it”’’"^(Ci[P]  x  C2[E],  7,  S)  =  0  and  we  are 
done.  Thus  we  have  to  show  that  for  all  Ci  E  PCCS[  ]*,  Sj  £  Pr/P  {i  =  1, 2)  and  a,0  E  Ad, 

fi^+\Ci[E]  X  C2[E],  {a,P),  Si  X  S2)  <  fi{Ci[F]  x  C2[P],  {a,p).  Si  x  S2) 

induction 

LHS  =  /x"(Ci[P],  a.  Si)  ■  fF{C2[E],  p,  S2)  <  KCi[F],  a.  Si)  •  ^i{C2[F],  p,  S2)  =  RHS 

Restriction:  We  have  to  show  that  for  all  C  E  PCCS[  ]*,  A  C  Ad,  S  E  Pr/P  and  a  E  Ad, 

^^+\C[E\  U,  a,  S)  <  tiiC[F]  M,  a,  S)  (7) 

Since  /x"+^(C[P]  I'A,  a,  S  -  Pr  I'A)  =  0,  we  may  in  (7)  replace  S  by  S  n  (Pr  I'.A).  By  the 
definition  of  P  we  have  (Pi,  P2)  €  P  ^  (Pi  ['A,  P2  l^yl)  £  P.  Hence  S fl  (Pr  ^^4)  is  the  disjoint 
union  of  a  collection  of  sets  of  the  form  S'  [A  with  S'  £  Pr/P,  and  it  suffices  to  prove  (7)  for 
such  sets  S'  instead  of  S  fl  (Pr  ["A).  Moreover  we  may  assume  that  a  E  A,  since  otherwise 
/i"+^(C[P]  TA,  a,  S)  =  0  and  we  are  done.  Thus  we  have  to  show  that  for  all  C  E  PCCS[  ]*, 
A  C  Act,  S'  €  Pr/P  and  a  E  A, 

H^+\C[E]  ^A,  o.  S'  fA)  <  /i(C[P]  [A,  a.  S'  rA) 

induction 

LHS  =  ^''(C[P],  a,  s')  <  m(<^[P],  a.  S')  =  RHS 

Relabeling:  We  have  to  show  that  for  all  C  €  PCCS[  ]*,  /  :  Act  Act^  S  G  Pr/72.  and  f3  G  Act^ 

^^+\C[E][f],  p,  S)  <  m(C[P][/],  P,  S)  (8) 

Since  {C[E][f],  P,  S— Pr[/])  =  0,  we  may  in  (8)  replace  S  by  SnPr[/].  By  the  definition 
of  P  we  have  (Pi,P2)  £  P  (Pi[/]jP2[/])  €  P-  Hence  S  n  Pr[/]  is  the  disjoint  union  of  a 
collection  of  sets  of  the  form  S'[/]  with  S'  E  Pr/P,  and  it  suffices  to  prove  (8)  for  such  sets 
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S'[f]  instead  of  S'  Pi  Pr[f].  Thus  we  have  to  show  that  for  all  C  €  PCCS[  ]*,  /  :  Act  -t  Act, 
S'  €  PrjK  and  0  €  Act, 

/i”+i(C[£;][/],  13,  5'[/])  <  fi{C[F][f],  (3,  S'[f]) 

induction 

LHS  =  max  (/x”(C[£'],  a.  S'))  <  m^  {fi{e[F],  a.  S'))  =  RHS 

f{a)=l3  f(o‘)=P 

Recursion:  We  have  to  show  that  for  all  C  G  PCCS[  ]  with  fixxC  G  PCCS[  ]*,  S'  G  Prill  and 

Gi  ^  .A-Ctf 

fjr+\fixxC[E],  a,  S)  <  ii{fixxC[F],  a,  S) 

In  case  X  does  not  occur  free  in  E'  or  F  this  follows  since 

induction 

LHS  =  ^l'"{C[E\{fixxC{E]|X},  a,  S)  =  iF^{C{fixxCIX][E\,  a,  S)  < 
li{C{fixxCIX][F],  a,  S)  =  n{C[F]{fixxC[F]IX),  a,  S)  =  RHS 

In  case  X  does  occur  free  in  or  jP  we  have  E{fixxC[F]l X}  ~  F{fixxC[F'\IX}  by  Defini¬ 
tion  3,  and  since  these  expressions  have  fewer  free  variables  than  E  and  F  it  follows  that 

n{C{fixxCIX}'£l[E{fixxC[F]IX)],  a,  S)  =  ix{C{fixxCIX)^\[F{fixxC[F]IX)],  a,  S)  (9) 

induction 

Hence  LHS  =  iJi'''{C[E\{fixxC[E\IX],  a,  S)  =  iF'{C\E\J,fixxCIX}[E\,  a,  S)  < 

(9) 

^i{C\fl{^ixxC|X}[F\,  a,  S)  =  ii{C[F]{fixxC[F\l X] ,  a,  S)  =  RHS 
This  argument  is  illustrated  in  Figure  5. 


4  The  Reactive  Model 

The  reactive  model  of  probabilistic  processes  was  introduced  by  Larsen  and  Skou  in  [LS91].  In  this 
section,  we  consider  the  reactive  model  within  the  context  of  PCCS/j,  the  sublanguage  of  PCCS 
with  guarded  recursion  and  without  relabeling.  We  begin  by  presenting  the  reactive  operational 
semantics  for  PCCSit  that  defines  a  probabilistic  transition  system  for  every  PCCSr  process.  We 
then  equip  the  model  with  a  notion  of  probabilistic  bisimulation,  also  due  to  Larsen  and  Skou,  and 
show  that  the  resulting  equivalence  relation  is  a  congruence  with  respect  to  PCCSr. 

We  restrict  ourselves  to  guarded  recursion  in  order  to  ensure  that  the  reactive  summation 
operator  is  well-defined.  That  we  do  not  give  a  reactive  semantics  to  the  relabeling  operator  is  due 
to  an  inherent  incompatibility  between  this  operation  and  the  reactive  viewpoint.  For  example, 
consider  process  P  =  ^a.X  -1-  \b.Y.  P  has  a  probability-1  a-transition  to  X  and  a  probability-1 
6-transition  to  Y.  However,  if  the  relabeling  that  maps  a  to  itself  and  6  to  a  is  applied  to  P,  then 
we  may  end  up  with  a  “nonsensical”  object  having  two  probability-1  o-transitions.  Some  form  of 
relabeling  could  be  defined  in  the  reactive  model  if  an  appropriate  normalization  procedure  were 
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and  one  hole  outside 


such  a  scope  C[E]{fixxC[E]l X]  C  / X}[F]  = 

=  C\E\J,fixxCIX}[E]  C{fixxCIX}W\[E{fkxC[F]lX}] 

Figure  5:  The  last  steps  in  the  congruence  proof. 

applied.  Here  three  normalization  procedures  come  to  mind.  Let  Q  =  |a.X  +  \a.X  +  ^b.Y  +  |c.Z 
and  again  rename  b  into  a.  Now  a  “syntactic”  normalization  procedure  would  yield  a  probability-^ 
a-transition  to  Y.  This  is  also  the  solution  obtained  by  abstracting  from  the  generative  or  stratified 
model  (i.e.  by  applying  ^gr  °  ‘Pg  or  fSR  ®  Ps)'>  ^ud  from  the  counterexample  in  Section  7.1  it 
follows  that  this  solution  is  not  compositional.  An  intermediate  normalization  procedure  would 
yield  a  probability- 1  o-transition  to  Y  (by  counting  the  number  of  summands  that  can  do  an  a- 
step).  But  then  Q  and  Q'  =  fa.X  -I-  ^b.Y  +  \c.Z  would  behave  differently  after  relabeling,  and 
bisimulation  equivalence  would  not  be  a  congruence.  Finally  a  “semantic”  normalization  procedure 
would  give  the  a-transition  to  Y  probability  ^  (by  counting  the  number  of  actions  that  are  renamed 
into  a),  but  here  the  disadvantage  is  that  first  renaming  6  in  a  and  then  c  in  a  yields  a  different 
outcome  than  doing  this  in  the  reverse  order.  Of  course,  injective  relabelings  can  be  added  without 
problem. 

A  solution  to  the  problem  of  defining  relabeling  in  the  reactive  model  has  recently  been  found 
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Figure  6:  Reactive  operational  semantics  of  PCCSfl. 


by  Larsen  and  Skou  [personal  communication].  They  propose  to  equip  a  relabeling  that  renames 
actions  ai,...  ,a„  into  a  with  a  probability  distribution  that  associates  a  probability  pi  to  each 
of  the  Oi’s.  These  probabilities  then  determine  the  normalization  factor.  As  such  a  probabilistic 
relabeling  is  meaningless  in  the  generative  and  stratified  models,  we  will  not  consider  this  solution 
in  the  present  paper. 

The  same  problems  encountered  in  defining  renaming  in  the  reactive  model  apply  to  the  SCCS 
product,  as  relabeling  can  be  expressed  in  terms  of  product  and  the  other  SCCS  operators.  For 
this  reason,  we  have  “split”  the  SCCS  product  in  the  PCCS  product  and  relabeling,  only  the  latter 
of  which  has  to  be  sacrificed  in  the  reactive  model. 

4.1  Reactive  Operational  Semantics  of  PCCSr 

The  reactive  operational  semantics  of  PCCSj?  is  given  in  Figure  6  as  a  set  of  inference  rules. 
Reactive  transitions  are  of  the  form 


meaning  that  P,  with  probability  p,  can  perform  an  o-transition  to  become  P'.  The  index  i  is 
explained  just  below. 

In  the  second  rule,  in  which  -{I,  |[  denote  multiset  brackets,  v  is  the  normalization  factor  used  to 
compute  the  conditional  probabilities  of  the  sum  under  the  assumption  oc.  The  rest  of  the  rules  are 
straightforward  adaptations  of  their  nonprobabilistic  counterparts. 

Unlike  in  the  nonprobabilistic  case,  all  probabilistic  transitions  are  indexed.  The  set  Ir  of 
reactive  indices  is  the  smallest  set  such  that  0  €  Ir,  j  €  Io,k  Ir  =>  j.k  e  Ir,  and  i,j  € 
Ir  =>  {iJ)  £  Ir-  The  purpose  of  the  indices  is  to  distinguish  different  occurrences  of  the  same 
probabilistic  transition.  They  are  constructed  so  that  every  outgoing  probabilistic  transition  of  an 
expression  has  a  unique  index.  (The  indices  will  be  used  in  the  next  section  to  define  cumulative 
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probability  distributions.)  The  following  example  is  illustrative: 


([i]a.O  +  [i]a.O) 


a[il 

([i]a.O  +  [i]a.O)  ^2.0  0 


As  in  the  nonprobabilistic  case,  the  reactive  operational  rules  collectively  define  the  seman¬ 
tic  mapping  tpR  from  Ptr,  the  closed  expressions  of  PCCS^,  and  even  from  the  open  PCCSii 
expressions,  to  the  domain  of  reactive  probabilistic  labeled  transition  systems. 


Definition  4  A  reactive  (probabilistic)  transition  system  is  a  triple  (S,T,I)  with 

—  S  a  set  o/ states, 

—  T  C  S  X  Act  X  (0, 1]  X  JjR  X  5  o  set  of  transitions,  such  that 

1.  {{s,a,p,i,t)  eT  A{s,l3,q,i,r)  ET)  ^  {a  =  P  Ap  =  qAt^r) 

2.  Vs  G  5,  Va  e  Act,  D  |p  1 6  /ji,  t  E  S  :  (s,  a,p,  i,  t)  eT}  E  {0, 1} 

—  and  I  £  S  the  initial  state. 


The  first  requirement  of  T  says  that  all  outgoing  transitions  of  a  given  state  have  different 
indices.  The  second  one  says  that  for  each  state  the  probabilities  of  the  outgoing  n-transitions, 
if  there  are  any,  sum  up  to  1,  for  any  action  a  separately.  An  isomorphism  between  two  reactive 
transition  systems  is  a  bijective  mapping  /  between  their  reachable  states  and  transitions,  satisfying 
f{s,a,p,i,t)  =  {fis),a,p,j,f{t)),  where  i  and  j  may  be  different  indices,  and  /(/)  =  I',  where 
/  and  r  are  the  initial  states  of  the  two  systems.  The  mapping  (fR  is  defined  just  as  cpN  in  the 
previous  section.  It  is  not  difficult  to  see  that  <^h(P)  meets  the  requirements  for  reactive  transition 
systems. 


4.2  Reactive  Bisimulation 

We  now  consider  reactive  bisimulation,  a  notion  of  probabilistic  bisimulation  for  reactive  processes 
due  to  Larsen  and  Skou  [LS91].  By  definition,  all  reactive  bisimulations  are  equivalence  relations. 
Intuitively,  two  processes  P,Q  are  probabilistically  bisimilar  in  the  reactive  model  if,  for  each  action 
symbol,  they  derive  reactive  bisimulation  classes  with  equal  cumulative  probability. 

To  define  reactive  bisimulation,  we  first  need  to  define  the  cumulative  probability  distribution 
function  (cPDF)  which  computes  the  total  probability  by  which  a  process  derives  a  set  of  processes. 
Adopting  the  convention  that  the  empty  sum  of  probabilities  is  0,  we  have: 

Definition  5  (Reactive  cPDF)  hr:  {PrR  x  Act  x  V{PrR))  — >■  [0, 1]  is  the  total  function  given 
by :  Va  G  Act,  \/  P  E  Pvr,  'd  S  C  Pvr, 

P.r{P,  a,S)=  X!  ^  Q  and  Qe  S']) 

ieiR 
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Reactive  bisimulation  can  now  be  defined  as  follows; 

Definition  6  ([LS91])  An  equivalence  relation  TZ  C  Prji  x  Ptr  is  a  reactive  bisimulation  if 
{P,  Q)  gIZ  implies :  V5  €  Ptr/TZ,  Va  6  Act, 

Pr{P,  a,  S)  =  PRiQ,  a,  S) 

Two  processes  P,Q  are  reactive  bisimulation  equivalent  (written  P  ^  Q)  if  there  exists  a  reactive 
bisimulation  7Z  such  that  {P,  Q)  GTZ. 

By  the  same  proof  as  was  used  for  nonprobabilistic  bisimulation,  reactive  bisimulation  equiv¬ 
alence  can  be  shown  to  be  an  equivalence  relation  indeed.  Furthermore,  reactive  bisimulation 
equivalence  is  the  largest  reactive  bisimulation  and  can  be  found  by  a  straightforward  adaptation 
of  the  fixed-point  iteration  technique  of  [Mil89]. 

Like  strong  bisimulation  does  for  SCCS  or  CCS,  reactive  bisimulation  equivalence  provides  a 
compositional  semantics  for  PCCSj?  that  is  consistent  with  the  operational  semantics  defined  in 
the  last  section.  Specifically: 


Theorem  4  (Congruence)  For  E,F  G  PCCSr,  C  G  PCCSit[  ];  E&F  implies  e[E]  ~  C[F] 


Proof:  Following  the  previous  congruence  proof,  we  define  TZ  as  the  equivalence  closure  of  7Z 
{{C[E],C[F])  I  F?  ~  F,  C  €  FCCSr[  ]*}.  The  top  of  a  context  C  G  PCCSfi[  ]  is  the  part  that 
remains  after  first  removing  every  subcontext  of  the  form  a.E  and  subsequently  every  subcontext 
not  containing  Q.  Now  let  PCCS^[  ]  be  the  set  of  all  PCCS^  contexts  with  at  most  k  nested 
summation  operators  in  their  top.  This  time  we  have  to  show  that  for  all  E,F  G  PCCSr  with 
E  ^  F,  and  for  all  A:  €  IN, 

VC  G  PCCS^[  ]*,  V5  G  PrRin,  G  Act,  pr{C[E],  a,  S)  =  (iR{C[F],  a,  S)  (10) 

This  will  be  done  by  three  nested  inductions.  First  we  apply  induction  on  the  number  of  free 
variables  in  E  and  F  and  choose  E,F  G  PCCSjj  with  E  ^  F  for  the  induction  step.  Then  we 
apply  induction  on  k  and  suppose  (10)  holds  for  k<l.  Finally  the  proof  of  (10)  for  k  =  l  continues 
exactly  like  the  one  for  ~  (i.e.  with  induction  on  the  depth  of  derivations),  substituting  R  for  N 
and  PCCSji[  ]  for  PCCS[  ],  except  that  the  function  {Pvr  x  Act  x  V{PrR))  >  [0, 1]  is  given 
by ;  Va  G  Act,  V  P  G  PrR,  V  5  C  PrR, 

a\pi\ 

pl{P,a,S)  =  ^iPi\R\-nP  QandQG5| 

ieiR 

and  every  time  we  invoke  the  induction  hypothesis,  we  check  that  it  is  applied  to  contexts  in 
PCCS/j[  ]*  only  (in  the  case  of  recursion  this  follows  by  guardedness  of  PCCS/i  expressions). 
Moreover  the  case  of  relabeling  is  dropped — the  congruence  proof  would  break  down  where  the 
operation  max  is  applied— and  the  last  line  in  the  case  of  summation  is  replaced  by; 


LHS  = 


rPi-  P^'R{Ci[E],  a,  S) 

\pR{Ci[E],a,PrR)^^ 


induction 


YliejPi  ‘  _  RHS 

Eie/  HPi  I  ^  Ofr 


Here  (10)  may  be  applied  since  Ci  G  PCCS*^  ^[  ]*. 
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cx.E  — ^  0  E 


Ej  — >k  E' 


eSH,  E',F-^,  F' 
E  i  F 


E' 


a\p] 


E{fixxE/X}  — >i  E' 


e  0  6/) 

iei 


E  X  F 


[p-g] 


HiJ) 


ot\p/r] 

EtA — E'tA 

f{a)\p] 

E[f]  E'if] 

a\p] 

fixxE  — >i  E' 


(a  €  A,  r  =  vg{E,A)) 


Figure  7:  Generative  operational  semantics  of  PCCS. 


5  The  Generative  Model 

In  contrast  to  the  reactive  model,  which  is  defined  only  over  the  sublanguage  PCCSij  of  PCCS, 
the  generative  model  is  defined  over  full  PCCS.  In  this  section,  we  provide  PCCS  with  a  generative 
operational  semantics.  We  then  extend  the  notion  of  reactive  bisimulation  to  the  generative  case 
and  show  that  the  resulting  equivalence  is  a  congruence  with  respect  to  PCCS. 

5.1  Generative  Operational  Semantics  of  PCCS 

The  generative  operational  semantics  of  PCCS  is  given  in  Figure  7.  We  use  a  different  kind 
of  arrow  (non-hooked)  to  distinguish  generative  transitions  firom  reactive  ones.  As  in  the  reactive 
case,  generative  transitions  are  indexed  to  distinguish  multiple  occurrences  of  the  same  probabilistic 
transition.  The  set  Iq  of  generative  indices  is  equal  to  Ir. 

With  the  exception  of  restriction,  all  rules  are  straightforward  adaptations  of  their  nonproba- 
bilistic  counterparts.  The  restriction  rule  defines  the  probabilistic  transitions  of  f'A  in  terms  of  the 
conditional  probabilities  of  E  under  the  assumption  A.  In  this  rule,  the  function  vq  computes  the 
generative  normalization  factor  such  that  ug{E,  A)  is  the  sum  of  the  probabilities  of  the  transitions 
of  E  labeled  by  symbols  from  A.  The  formal  definition  of  vq  is  given  by 

ug{E,A)  =Y,yi\E  Ei,  aeAl 

i^Io 

ct\p] 

Note  that  under  the  assumptions  E  - >  i  E'  and  a  6  A,  vaiE,  A)  >  0.  As  we  consider  restriction- 

guarded  recursion  only,  it  will  follow  from  the  proof  of  Theorem  5  that  i>g  is  well-defined. 

To  illustrate  the  generative  operational  semantics,  consider  the  expression 

f:  =  (a.0)x([J16.X  +  [^]c.y  +  [|]0) 
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We  have: 


(a,6)[4] 

E - ^(0,1.0)  0  X  X  E - ^(0,2.0)  0  X  y 


As  ug{E,  {(«,&)})  =  we  also  have: 


(a,6)[l] 


E  ['{(o,  b)}  ’  4(0.1.0)  (0  X  X)  [{{a,  b)} 


A  generative  process  is  said  to  be  stochastic  if  the  sum  of  the  probabilities  of  its  derivations 
is  1.  Otherwise,  when  this  sum  is  strictly  less  than  1,  the  process  is  said  to  be  substochastic,  and 
therefore  possesses  a  non-zero  probability  of  deadlock.  PCCS  expressions  (contexts)  without  0, 
unguarded  recursion  and  restriction  preserve  stochasticity:  if  stochastic  processes  are  substituted 
for  their  free  variables,  then  the  obtained  processes  are  stochastic  as  well.  In  the  case  of  restriction, 
the  obtained  process  may  have  no  derivations  at  all. 

The  normalization  factor  vg{E,  A)  used  in  the  restriction  rule  of  Figure  7  is  such  that  a  sub¬ 
stochastic  process  placed  in  a  restriction  context  becomes  stochastic  or  deadlocks  completely.  Al¬ 
ternatively,  the  relative  probability  of  deadlock  in  a  substochastic  process  can  be  preserved  by 
normalizing  by  the  quantity  r  =  i'g{E,A)  -I-  1  —  ug{E,  Act).  The  term  1  —  VG{E,Act)  repre¬ 
sents  the  probability  of  deadlock  in  E.  To  illustrate,  we  would  have  in  the  above  example  that 
VG{E,Act)  =  |,  r  =  |,  and  thus: 

(a,6)[4] 

E  r{(a,  6)} - ^(0,1.0)  (0  X  X)  r{(a,  6)} 


In  fact,  deadlock  preserving  and  eliminating  restriction  operators  can  be  combined  in  one  language 
by  introducing  an  operator  f'A  for  AC  Act  1)  {0}.  Prom  here  on  all  results  apply  to  this  extended 
language.  In  Figure  7  the  generative  normalization  factor  is  now  extended  by 

ug{E,  a  U  0)  =  ug{E,  A)  +  l-  vg{E,  Act) 

for  A  C  Act.  In  the  reactive  and  nonprobabilistic  models  |'(A  U  0)  is  defined  exactly  as  fA. 

A  generative  process  is  called  semistochastic  if  the  sum  of  the  probabilities  of  its  derivations  is  0 
or  1.  PCCS  expressions  (contexts)  without  summation  preserve  semistochasticity,  but  a  summation 
context,  or  an  unguarded  recursion  context  with  summation,  may  introduce  non-semistochastic 
behavior.  Each  of  the  expressions 

50.0  + 5O  and  ^ ^1) 

for  instance  has  a  deadlock  probability  of  5.  PCCS  may  be  turned  into  a  semistochastic  language 
by  replacing  the  summation  operator  by  a  semistochastic  variant,  which  can  be  expressed  in  our 

language  as  (  ^  ^  [pi].^i)  I' Act  (using  our  deadlock  eliminating  restriction  operator),  and  adapting 
iei 

the  definition  of  restriction-guardedness.  In  this  language  there  will  be  no  diflierence  between  the 
deadlock  preserving  and  deadlock  eliminating  restriction  operator,  and  [p]  X  -I-  [1  -  p]  0  =  X. 
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A  generative  transition  system  is  defined  as  a  reactive  transition  system,  except  that  the  second 
requirement  of  T  is  changed  into 

Vs  €  5,  ^|p|3a;  e  Act,  i  E  Ig,  t  E  S  :  {s,a,p,i,t)  G  Tl  <  1 

Also,  the  semantic  mapping  tpo  from  PCCS  to  the  domain  of  generative  transition  systems  is 
defined  exactly  as  (pN  and  tpR. 

5.2  Generative  Bisimulation 

The  extension  of  reactive  bisimulation  to  the  generative  model  is  straightforward.  The  definition  of 
the  generative  cPDF  pc  is  the  same  as  Definition  5  except  that  it  is  defined  over  Pr  and  in  terms 
of  indexed  generative  transitions.  Likewise,  the  definition  of  a  generative  bisimulation  and  of  ~  are 
the  same  as  in  Definition  6,  except  that  they  are  defined  over  Pr  and  in  terms  of  pa-  Similar  to 

the  reactive  case,  ~  is  substitutive  in  PCCS. 


Theorem  5  (Congruence)  For  E,F  E  PCCS,  C  E  PCCS[  ];  E^F  implies  C[E]  S  C[F] 

Proof:  We  follow  the  reactive  congruence  proof,  but  this  time  with  PCCS*^[  ]  the  set  of  PCCS 
contexts  with  at  most  k  nested  restriction  operators  in  their  top,  until  we  have  to  show,  for  A:  €  IN, 

VC  €  PCCS*[  ]*,  V5  G  Pr/n,  Va  G  Act,  HGiC[E],  a,  S)  =  pg{C[F],  a,  S)  (11) 

Again,  this  will  be  done  by  induction  on  k.  Suppose  (11)  holds  for  fc  <  Z.  It  then  follows  that 

VA:  <l,yCE  PCCS*[  ]*,  VA  C  Act  U  {0},  rg{C[E],A)  =  i/g(C[F],  A)  (12) 

because  (restricting  w.l.o.g.  to  the  case  A  C  Act) 

ug{P,A)=  Y.  f^G{P,a,S) 

a^A 

sePr/n 


Now  the  proof  of  (11)  for  A;  =  Z  continues  just  like  the  one  for  ~,  defining  similar  to  and 
substituting  PCCS'[  ]  for  PCCS[  ],  except  that  the  occurrences  of  max  in  the  cases  of  summation 
and  relabeling  are  replaced  by  ^  (in  the  case  of  summation  followed  by  pi-),  and  every  time  we 
invoke  the  induction  hypothesis,  we  check  that  it  is  applied  to  contexts  in  PCCS*[  ]*  only  (in  the 
case  of  recursion  this  follows  by  restriction-guardedness  of  PCCS  expressions).  Moreover  the  last 
line  in  the  case  of  restriction  is  replaced  by: 


LHS  = 


p^iC[E],  a.  S') 
u{C[E],A) 


induction 

< 

(12) 


p{C[F],  a.  S')  _ 
u{C[F],A) 


Here  (12)  may  be  applied  since  C  E  PCCS*  ]*. 


□ 


20 


[Pi] 


P) 


iel 


3  ^3 


(jei) 


E 

’  'i 

E',  F  F' 

ExF  E'  X  F' 

E 

P. 

' 

E',  F  F' 

ExF  ^(i,o)  E'xF 

E 

a 

- > 

E',  F  F' 

ExF  HA(o,i)  ExF' 

E 

,  P  , 

'  'i 

E',  E' 

pIus{E,A) 

E\A  E'\A 

E 

^  P  y 

E' 

E[f\  E'U] 

E{fixxE/X}  E' 

fixxE  E' 

Figure  8:  Stratified  operational  semantics  of  PCCS. 


6  The  Stratified  Model 

The  treatments  of  the  nonprobabilistic,  reactive  and  generative  models  are  extended  here  to  the 
stratified  case. 


6.1  Stratified  Operational  Semantics  of  PCCS 

The  stratified  operational  semantics  of  PCCS  is  comprised  of  two  types  of  transition  relations: 
action  transitions  (as  in  the  nonprobabilistic  model)  and  probability  transitions.  Action  transitions 
are  of  the  form  P  — ^  Q.  Probability  transitions  are  of  the  form  P  Q,  meaning  that  P,  with 

probability  p,  can  behave  as  the  process  Q.  Here  i  is  an  index  firom  the  set  7^  =  Jg  -  {0},  where  7| 
is  the  smallest  set  such  that  0  6  7^,  h  C  7§  and  ij  6  7?  =>  {i,j)  €  7^.  This  separation  of  action 
and  probability  in  the  stratified  model  permits  the  branching  structure  of  the  purely  probabilistic 
choices  to  be  captured  explicitly.  The  inference  rules  for  probability  transitions  appear  in  Figure  8, 
the  rules  for  action  transitions  are  the  same  as  in  the  nonprobabilistic  case,  except  that  there  is  no 
rule  for  process  summation,  since  in  the  stratified  model  the  only  choice  mechanism  is  probabilistic. 
Only  the  probability  transitions  need  to  be  indexed.  This  bi-structured  approach  to  operational 
semantics  was  (to  our  knowledge)  first  presented  in  [Tof90a]  to  give  a  semantics  for  a  timed  version 
of  CCS.  Note  that  no  PCCS  expression  admits  both  action  and  probability  transitions.  Thus  the 
set  of  PCCS  processes  is  partitioned  into  action  processes  (admitting  action  transitions),  probability 
processes  (admitting  probability  transitions),  and  deadlock  processes  (admitting  neither). 

Except  for  the  rules  for  product  and  restriction,  all  of  the  inferences  rules  for  probability  transi¬ 
tions  are  straightforward  adaptations  of  their  nonprobabilistic  counterparts.  The  third  and  fourth 
rules  say  that  the  product  of  an  action  process  and  a  probability  process  is  a  probability  process. 
They  are  needed  to  avoid  deadlock  in  a  synchronous  product  that  is  caused  by  a  difference  in  depth 
of  the  purely  probabilistic  branching  structures  of  the  argument  processes.  For  example,  we  do  not 
want  (5  a.O  -k  5  6.0)  x  c.O  to  deadlock  simply  because  there  does  not  exist  a  probability  transition 
in  the  right  hand  argument. 
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As  in  the  generative  operational  semantics,  the  restriction  rule  expresses  the  probability  tran¬ 
sitions  of  E  I'A  in  terms  of  the  conditional  probabilities  of  E  under  the  assumption  A.  Intuitively, 
E  fA  behaves  like  E,  where  all  probability  transitions  to  subexpressions  that  necessarily  require  the 
execution  of  a  restricted  action  are  eliminated.  The  probabilities  associated  with  these  transition 
are  evenly  distributed  among  the  remaining  probability  transitions. 

The  predicate  for  A  C  Act  is  defined  by  E  if  E  =  Eo  Ei  En  >  E' 

•  Au{0)  .  A 

for  certain  n  e  IN  and  o;  €  A.  It  is  extended  to  A  C  Act  U  {0}  by  E  — >  iff  {E  — >  ME  -f-^  ). 
Thus  the  condition  E'  in  the  rule  premise  requires  that  derivative  E'  of  E  is  capable  of 
performing  an  action  transition  from  the  set  A  of  permitted  actions  (or,  in  case  0  €  A,  deadlocks). 
The  function  ug  calculates  the  stratified  normalization  factor  and  is  defined  by 

iys{E,A)  =  53  1  E  Ei  ,  £1^  -4  I 

i£ls 


As  in  the  generative  case,  it  will  follow  from  the  proof  of  Theorem  6  that  and  ug  are  well-defined. 

To  illustrate  the  inference  rule  for  restriction,  consider  the  process 

P  =  ia.O  +  I  (^6.0  -t-  ic.O) 

In  the  following,  P  is  placed  in  some  relevant  restriction  contexts,  resulting  in  the  restriction-free 
processes  on  the  right-hand  side. 

Fr{6,c}  =  l(i6.0  -h  ^c.O) 

PKo,  c}  =  ia.O-f  Ilc.O 
P  r{c}  =  1  (1  C.0) 

Here  =  denotes  isomorphism  of  the  associated  labeled  transition  systems. 

The  inference  rules  for  action  and  probability  transitions  define  the  semantic  mapping  ipg  from 
PCCS  to  the  domain  of  stratified  probabilistic  labeled  transition  systems.  Such  transition  systems 
have  action  states,  having  exactly  one  outgoing  action  transition,  probability  states,  having  only 
outgoing  probability  transitions,  all  with  a  different  index,  and  deadlock  states,  having  no  outgoing 
transitions.  Stratified  transition  systems  are  semistochastic  in  the  sense  that  for  each  probability 
state  the  sum  of  the  probabilities  of  its  outgoing  transitions  is  1.  A  state  with  a  sequence  of 
probability  transition  to  a  deadlocked  state  corresponds  to  a  substochastic  state  in  the  generative 
model. 

6.2  Stratified  Bisimulation 

Stratified  bisimulation  is  similar  to  reactive  and  generative  bisimulation  in  that  processes  are  re¬ 
quired  to  derive  stratified  bisimulation  equivalence  classes  with  equal  cumulative  probability.  How¬ 
ever,  the  separation  of  probability  and  action  in  the  stratified  operational  semantics  is  reflected  in 
the  definition  of  stratified  bisimulation. 

To  define  stratified  bisimulation,  we  need  to:  (1)  define  a  function  that  computes  the  total 
probability  by  which  a  process  can  behave  the  same  as  any  process  in  a  set  of  processes  (the 
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technique  is  analogous  to  the  one  in  Definition  5,  and  thus  the  details  are  omitted);  (2)  ^ 

Definition  2,  the  action  relations  to  sets  of  derivative  processes.  The  stratified  cumulative  Put  ns 
incorporates  both  (1)  and  (2)  in  an  integrated  fashion.  In  particular,  lis  is  of  the  form 

US  ;  (Pr  X  {Act  U  {  *  })  x  ViPr))  — ^  [0, 1] 

where  *  is  a  dummy  symbol  used  to  mark  probability  transitions.  That  is,  for  cx^Act,  fis{P >  ^ 

{  0, 1 }  indicates  whether  or  not  P  has  an  a-transition  to  some  process  in  S.  Otherwise,  fis{P,  *,  S)  G 
[0,1]  specifies  the  total  probability  by  which  P  may  behave  the  same  as  any  process  m  S. 

Definition  7  An  equivalence  relation  Tl  C  Pr  x  Pr  is  a  stratified  bisimulation  if  (P,Q)  G 
implies  V5  €  Pr/TZ,  Vo  €  Act  U  {*}, 

/xs(P,  a,  S)  =  Hs{Q^  S) 

Two  processes  P,  Q  are  stratified  bisimulation  equivalent  (written  P  ^  Q)  if  there  exists  a  stratified 
bisimulation  TZ  such  that  (P,  Q)  €  TZ. 


Theorem  6  (Congruence)  For  E,F  e  PCCS,  C  6  PCCS[  ];  E^F  implies  C[E]  I  C[F] 

Proof:  By  induction  on  k  (as  in  the  generative  case)  we  establish 

VC  e  PCCS''[  ]*,  ys  €  Pr/Te,  Va  €  Act  U  {*},  ps{C[E],  a,  S)  =  (is{C[F],  a,  S)  (13) 

where  TZ  is  defined  as  usual.  Suppose  (13)  holds  for  k  <1.  It  then  follows  that 

A  A 

Vfc  <l,\ICe  PCCS'=[  ]*,  C  Act  U  {0},  C[E]  — ^  iff  C[F]  — ^  (14) 

As  a  consequence  we  may  write  5-4  for  5  G  PrfTZ  when  P  4>  for  an  arbitrary  representative 
P  €  S.  Now,  if  C[E\  is  not  an  action  process, 

us{C[E],A)  =  52  M5(C[P],  *,  5) 

and  therefore 

VA:  <l,\/C£  PCCS''[  ]*,  VA  C  Act  U  {0},  us{C[E],A)  =  us{C[F],A)  (15) 

The  proof  of  (13)  tor  k  =  I  is  split  into  two  cases.  The  case  of  an  action  transition  a  G  Act 
proceeds  as  the  congruence  proof  for  except  that  we  check  that  the  induction  hypothesis  is  applied 
to  contexts  in  PCCS*[  ]  only,  and  in  the  case  of  summation  we  conclude  with  LHS  =  0  =  RHS. 

The  case  of  a  probability  transition  a  =  *  also  follows  the  proof  for  defining  /ig  similar  to 
/i^,  but  with  the  following  modifications. 
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Action  prefixing:  The  proof  of  (4)  (with  P  =  *)  trivializes  as  .C[E],  *,  5)  —  0. 

Summation:  The  proof  of  (5)  is  replaced  by 

*,  S)  =  I  Ci[E]  G  5|  =  I  CiiF]  eSl  =  fJi{Y^\pi]Ci[Fl  *,  S) 
iel  iel 

since,  for  i  €  I,  Ci[E]  and  Ci[F]  are  in  the  same  equivalence  class  S'  G  Pr/TZ. 

Product:  The  proof  of  (6)  (with  7  =  *)  is  unchanged  until  “Moreover”.  Then  we  have  to  show 
that  for  all  Ci  G  PCCS'[  ]*  and  Si  e  Prill  {i  =  1,2), 

//"+^(Ci[£;]  X  C2[EI  5i  X  52)  <  ^i{Cl[F]  X  C2[F],  5i  x  S2)  (16) 

For  this  we  distinguish  4  cases,  depending  on  whether  or  not  Ci[F/]  and  C2\E\  are  probability 
processes.  If  neither  of  them  are,  (16)  follows  since  LHS=0.  If  both  of  them  are,  we  have 

induction 

LHS  =  p”(Ci[£;],  *,  Si)  •  p”(C2[£;],  *,  S2)  <  li{Ci[F],  Si)  ■  ii{C2[F\  *,  52)  =  RHS 

And  if  just  one  of  them  (say  Ci[E])  is  a  probability  process,  (16)  follows  since 

induction 

LHS  =  /x"(Ci[£;],*,5i)-^  fi^iC2[E],P,S2)  <  p(Ci[F],*,5x)-X]  /i(C2m,/?,52)  =  RHS 

0eAct  0eAct 

Restriction:  The  proof  of  (7)  is  unchanged  until  “Moreover”.  Then  we  have  to  show  that  for  all 
C  €  PCCS'[  ]*,  A  C  Act  U  {0}  and  S'  G  Pr/7^, 

fi''+\C[E]  rA,  *,  S'  rA)  <  fiiClF]  tA,  *,  S'  [A)  (17) 

Now  the  proof  of  (17)  proceeds  with  a  case  distinction.  In  case  S'  — /-4  we  have  LHS=0=RHS. 
A 

In  case  S  - >  it  concludes  as  in  the  generative  case. 

Relabeling:  This  case  (with  P  =  *)  concludes  with 

induction 

LHS  =  n''{C[E],  *,  S')  <  nie[F],  *,  S')  =  RHS  □ 

7  Interrelating  the  Models 

In  this  section  we  establish  the  results  announced  in  the  introduction,  showing  that  the  models 
discussed  before  form  a  hierarchy.  We  start  with  investigating  the  abstraction  from  the  generative 
to  the  reactive  model  in  Section  7.1,  followed  by  an  analogous  treatment  of  the  more  intricate 
abstraction  from  the  stratified  to  the  generative  model  in  Section  7.2.  Subsequently,  we  give  a 
direct  abstraction  from  the  stratified  to  the  reactive  model  in  Section  7.3.  Finally,  we  briefly  sketch 
the  simpler  abstraction  steps  leading  from  probabilistic  to  nonprobabilistic  models. 
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7.1  The  Generative  to  Reactive  Abstraction 

Let  E,  E'  be  PCCS  expressions.  The  inter-model  abstraction  rule  IMARgb  is  defined  by 

afpl  a\p/uo(E,{a})] 

E  E'  E  ^ ^  i  E' 

This  rule  uses  the  generative  normalization  function  to  convert  generative  probabilities  to  reactive 
ones,  thereby  abstracting  away  from  the  relative  probabilities  between  different  actions.  We  can 
now  define  (pcRifciP))  ^  the  reactive  transition  system  that  can  be  inferred  from  P’s  generative 
transition  system  via  IMARgr.  By  the  same  procedure  as  described  at  the  end  of  Section  3.1,  (fan 
can  be  extended  to  a  mapping  (poR  •  ©R- 

Write  P  ^  Q  if  P,Q  e  Pr  aie  reactive  bisimulation  equivalent  with  respect  to  the  transitions 
derivable  from  G  +  IMARgr,  i.e.  the  theory  obtained  by  adding  IMARgr  to  the  rules  of  Figure  7. 
The  equivalence  ^  is  defined  just  like  &  but  using  the  cPDF  poR  instead  of  hr.  hgr  is  defined 

HGR{P,a,S)=  52  I  G  +  IMARgrHP  c — Q  and  Q  G 


G  ^ 

Theorem  7  (Abstraction)  Let  G,H  e  Gg-  Then  G  ^  H  ^gr{G)  ~  ^gr{H). 


Proof:  We  prove  this  theorem  for  the  case  that  G  and  H  are  of  the  form  </jg(-P)  and  v?G(Q)^with 

P,Q  ePr  and  use  that  (Pg{P)  ~  ^g{Q)  ^  P  ~  Q  and  ipgr{v>g{P))^^  ^GRi^GiQ))  4^  P  ~  Q- 
The  proof  of  the  general  case  is  not  essentially  different,  but  would  involve  defining  the  reactive 
and  generative  bisimulation  equivalences  formally  on  transition  systems. 

Let  7?.  be  a  generative  bisimulation  on  Pr,  We  prove  that  TZ  is  also  a  reactive  bisimulation  on 
Pr  with  respect  to  the  transitions  derivable  from  G  +  IMARgr-  So  let  (P,  Q)  G  P,  5  E  Pr/TZ  and 
a  e  Act,  Then 

i/G(P,{a})  =  52  =  12  S)  =  I/G(i^,{«}),  SO 

SePr/R  SePr/R 


Hgr{P,  a.  >5) 


HGjP^oi,  S)  _  hg{Q-,<Xi  S) 
i/g(P,  {a})  ^g{Qi  {«}) 


Hgr{Q^ol^S)  □ 


We  will  now  investigate  to  what  extent  ^pgr  commutes  with  the  semantic  mappings  <pG  and  ipR. 
This  turns  out  to  be  the  Ccise  for  PCCS/i  processes  in  which  all  summations  are  of  the  form 

52  \pi]  Oii.Ei.  We  say  that  such  an  expression  is  summation-guarded, 
iei 

Lemma  1  (Soundness  and  Completeness  of  IMARgr)  ForE,E'  summation-guarded  PCCSr 
expressions,  a  G  Act,  p  G  (0, 1]  and  i  ^  Ir, 

a[p]  ®b] 

ji\-E  c — E'  ^  G  +  IMARgr  H  E  E' 
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Proof:  As  in  the  congruence  proofs,  we  use  induction  on  the  depth  of  derivation  trees,  and  write 

Ct[p]  0:[jp] 

R\-^E  c — E'  if  the  transition  E  <= — >i  E'  can  be  derived  by  a  proof-tree  of  depth  n.  In  the 
similar  definition  of  G  -t-  IMARga  we  don’t  count  the  single  application  of  IMARgb  though. 
We  distinguish  several  cases,  depending  on  the  topmost  operator  of  E.  The  case  of  action  prefixing 
is  trivial. 


Guarded  summation:  R\-2  \pi\  o^i-Ei 


i£l 


-^j  Ej 


iff 


j£l  and  q  =  Pj  /  Pk  =  Pj  j  [Pi]  Qi {"j}) 

4e/,  a)t=a;  ' 


iff  G  +  IMARgr  I“2  51  [Pi]  on  .  Ei 
iei 


■^j  Ej. 


Product:  R  Hjj+i  E  x  F  ^ — — — yu  ,)  E  x  F' 

a\p]  ^[q] 

iff  R\-nE  c - E',  F  c - yj  F'  and  p •  g  =  r 

^\jp] 

iff  G -I- IMARgh  E  - yi  E\  F  ^ - yj  F'  and  p-q  =  r  (by  induction) 


iff  G\-nE 


E',  F 


yj  F'  and  p  -  q  =  r 


(ot 

iff  G  hh+i  ExF  ’  E’xF’  and  s  =  UG{E,{a})  ■  i^oiF,  {/?})  =  UG{ExF,{{a,/3)}) 

(a.PlW 


iff  G-HIMARgr  ^ n+1  E  X  F  ^ 

a\p] 


^(ij) 


E'  X  F'. 


Restriction:  R  E\A  ^ - — — yi  E'\A 

a\p] 

iff  R\-n  E  ^ - — — yi  E  and  a  E  A 


a\p] 


iff  G  -I-  IMARgb  I-„  R  c 

^  ^  „  0‘\p  ‘'G{E,{a})] 

iff  G\-nE  - yi  E'  and  a  6  A 

a[p-r] 

iff  GU+iEU - ^ 


->i  E'  and  a  €  A  (by  induction) 


E'  I A  where  r  =  =  fg{E  lA,  {a}) 

K 

iff  G  +  IMARgr  I-„+i  E  [a  c - E'  [A. 


Recursion:  R  l-„+i  fixxE  ' 
iff  R  \-n  E{fixxE/X} 


q[p] 


->-i  E' 


a[p] 


-4,-  E' 


a\p] 


-yi  E'  (by  induction) 


iff  G  AlMARGR^n  E{fixxElX]  ^ 
iff  G  E{fixxElX}  -^^i  E'  where  r  =  VG{E{fixxElX],  {a})  =  Mfi^xE,  {a}) 

a\p.VG{fiXxE,{a})] 

iff  G  l-„+i  fixxE  - ^  i  E' 

a\p] 

iff  G  -f-  IMARgk  H„+i  fixxE  c E'. 


□ 


As  an  immediate  consequence  of  Lemma  1  we  have: 
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Theorem  8  (Commutativity)  Let  P^Ptr  be  summation-guarded.  Then  (^gr{vg{P))^^r{P)* 

G  R 

Corollary  9  Let  P,Q  E  Ptr  be  summation-guarded.  Then  P  Q  P  Q. 

Proof:  Theorem  7  says  that  P  ^  Q  =>  P  Q  for  P,Q  €  Pr.  Theorem  8  (or  Lemma  1)  implies 

p  (^ID 

Hr{P,  a,  S)  =  fJ.GR{P,  cc,  S)  and  hence  P  ^  P  ~  Q  for  summation-guarded  P,Q  E  Pvr.  □ 
Theorem  8  does  not  hold  in  the  presence  of  general  summation.  Consider  the  process 

P=  ia.X  +  |(ia.F-fi6.Z) 

In  (pGRiTciP))  the  probabilities  of  a.X  and  a.Y  are  equal,  while  in  ipr{P)  executing  a.Y  is  twice 
as  likely  as  a.X.  This  counterexample  can  be  easily  extended  so  to  apply  to  Corollary  9  as  well. 
One  may  wonder  whether  relabeling  could  be  added  to,  or  summation  redefined  on  the  reactive 
model  such  that  reactive  bisimulation  remains  a  congruence,  but  Theorem  8  can  be  extended.  This 
is  not  possible  as  it  would  imply  that  is  a  congruence,  which  will  be  refuted  below. 

GR 

The  equivalence  ~  (which  was  previously  defined  only  on  closed  PCCS  expressions)  can  be 

GR  R 

extended  to  arbitrary  generative  labeled  transition  systems  by  G  ^  H  Vgr{G)  ^  ipGR{H)<, 
GR  GR 

and  P  Q  Vg{P)  ^g{Q)^  We  show  that  this  equivalence  is  not  a  congruence,  thus 
demonstrating  the  need  for  refining  the  bisimulation  semantics  when  moving  from  the  reactive  to 
the  generative  model.  Consider  the  PCCS  processes 

P  =  ia.O  +  |6.c.O  (3  =  |a.O  +  ^6.c.O 

For  P^Q  we  have  P^  i.e. 

R 

TGRiTciP))  ~  ^Gr{Tg{Q)) 

However,  the  same  is  not  true  for  C[P\  and  C[Q\,  where  C  is  the  relabeling  [a  —>  a,b  a,c  c]. 
In  particular,  /UGij(<7[P],  a,  [c.  0]j,)  =  I  and  fiGR{C[Q],a,[c .0]r)  =  L 

A  similar  counterexample  is  obtained  by  placing  P  and  Q  in  the  summation  context  C  = 
|[  ]  -I-  ^6.0.  In  this  case  fiGRiC[P],b,  [c.0]h)  =  |  and  /igr(C[Q],  6,  [c.  0]^)  = 


7.2  The  Stratified  to  Generative  Abstraction 


Let  E,  E'  be  PCCS  expressions.  Then  IMAR5G  is  given  by 


E 


E' 


E' 


n 

E  E’  — >j  E" 


a\p-q] 

E - >-i.j  E" 


where  i.j  (as  in  the  generative  case)  denotes  the  concatenation  of  two  indices.  Thus  the  elements 
of  IsG^  the  set  of  indices  generated  by  S'-t-IMAR^C)  are  sequences,  and  we  let  |z|  denote  the  length 
of  such  a  sequence. 
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Write  P  ??  Q  if  P,  0  6  Pr  are  generative  bisimulation  equivalent  with  respect  to  the  transitions 
derivable  from  G  +  IMARsg-  The  equivalence  is  dehned  just  like  but  using  the  cPDF  psG 
instead  of  no-  fJ'SG  is  defined  by 


fxsaiP, 5)  =  E  ^  I  ^  +  IMARsg  b  P 

i^IsG 


Q  and  Q  € 


Theorem  10  (Abstraction)  Let  G,H  ^  Gs-  Then  G  H  (Psg{G)  ~  <PSg{H)- 

Proof;  As  before,  we  prove  this  theorem  for^the  case  that  G  and  H  are  of  the  form  ips{P)  and 
(fsiQ)-  Thus  we  show  that  ior  P,Q  E  Pr,  P  ^  Q  P  ^  Q- 
We  now  define 


a,S)=  52  I  Pi  1  -5  +  IMARsg  b  P 

i^IsG 


Q,  QgS  and  \i\  =  n| 


Let  K  be  a  stratified  bisimulation  on  Pr.  We  prove  that  R  is  ^ 

with  respect  to  the  transitions  derivable  from  S  +  IMARsg.  l  e.  that  for  (  ,Q)  ,  / 

and  a  6  Act, 

i^SG{P-i  ~  t^SG\Qi  P) 

As  psG(P,a.S)  =  i:«ewhSG(P.«.S).  i*  “  P“'" 

induction  o  ii'sg{P,a,S)  =  )ts{P,<‘,S)  =  hsCQ.u, S)  = 


p;«(P,a,S)=  Y,  jMj|S+IMARsGl-P  <3.  ■RSP'-. 


i^IsJ^^SG 


independent  of  choice  of  H  £  [R]k 


[J^]TCeFr/7^ 

[R]'r,^Pp /'^ 

IMARsg  has  the  effect  of  “flattening”  trees  of  probability  transitions  with  action  transitions  at 
the  leaves  into  a  single-level  structure  of  generative  transitions.  Indeed,  we  show  that  the  generative 
tSnsff::^  system  ofa  restriction-free  PCCS  process  P  is  isomorphic  to 

system  that  can  be  inferred  from  P’s  stratified  transition  system  via  IMARsg-  For  example, 

P  =  ia .  0  +  nib .  0  +  ic. 0).  Then,  by  IMARsg 


a[i]  ^  Mil 

P^l.oO  P  — ^2.1.0 


w,  ‘3'  rk 

0  P  - 1  2.2.0  0 


Except  for  the  transition  indices,  these  are  precisely  the  transitions  of  P  in  the  generative  model. 


28 


Lemma  2  (Soundness  and  Completeness  of  IMARsg)  There  is  a  surjection  f  :  Ig  IsG 
such  that  for  E,  E'  restriction-free  PCCS  expressions,  a  €  Act,  p  6  (0, 1]  and  i  €  Ig, 

G'r  E  i  E'  <=>  S  +  IMARsg  ^  E  — >  f{i)  E' 

Moreover  G  E  — >i  E',  E  — E" ,  i  j  — ^  /(O  7^ /(i)* 


Proof:  In  Lemma  1  /  happened  to  be  the  identity  function  and  was  therefore  not  mentioned. 
Unfortunately,  /  can  not  be  chosen  bijective  this  time.  In  order  to  get  rid  of  this  complication  m 
an  early  stage,  we  split  the  proof  in  two  parts  by  considering  an  intermediate  operational  semantics 
G'.  The  inference  rules  of  G'  are  exactly  the  same  as  the  ones  of  G,  except  that  in  the  rule  for 
product  when  i  and  j  are  both  0  the  resulting  index  is  also  0  instead  of  (0,0).  Let  f'.lG-^  Ig'  be 
the  function  that  exhaustively  replaces  all  occurrences  of  (0, 0)  in  an  index  by  0.  Then 


G\-E 


a[p] 


E' 


n' I- TP  ^  F' 
G  r  E  — >■  /'(i)  Tj 


q[p] 


E',  E 


m 


Now  \eXG\-  E  E',  E  j  E"  and  f'{i)  =  f'{j).  If  E  is  summation-free,  it  has  only 

one  outgoing  transition  and  therefore  i  =  j.  Otherwise  i  =  j  is  established  by  a  straightforward 
induction  on  the  length  of  derivations.  We  refer  to  this  property  of  f  as  “limited  injectivity  since 
f  is  injective  only  with  respect  to  the  transition  indices  of  a  given  E. 


The  second  part  of  the  proof  consist  of  establishing  Lemma  2  with  G'  instead  of  G  and 
f  Iqi  —xIsg-  This  function  can  be  chosen  bijective. 

Recall  that  =  /^  U  {0}  and  let  be  the  largest  set  of  sequences  over  Ig  such  that  an  index 
{i,j)  can  only  be  followed  by  either  0  or  an  index  {k,l)  such  that  i.k,j.l  €  Isg^  index  0  can 

only  be  followed  by  an  index  0.  Then  Isg  =  IsG  ^  This  follows  from  the  fact  that  produrt 

is  a  static  operator,  i.e.  the  syntactic  subtree  of  occurrences  of  product  in  a  PCCS  expression  is 
preserved  under  stratified  derivations.  Define  head  :  Iq'  — >  Isi  •  ^G'  ^G'  the  partial 

function  •  :  Ig  x  Ig'  Ig'  by 


head{0)  =  0 
head{i.j)  =  i 

head{i,j)  =  {head{i),  head{j)) 


tail{0)  =  0 
tail{i.j)  =j 

tail{i,j)  =  < 


{tail{i),tail{j))  if  7^  (0,0) 
0  otherwise 


0*0  =  0 

i*j  =  i-j  (*  €  Iq) 

{i,j)*{k,l)  =  {i*k,j*l) 

(i,;)  *0  =  (i*0,j  *0) 


With  structural  induction  on  j  for  “=?►”  and  on  i  for  “<^=”  it  follows  that 


i=z  j  mk  4^  j  =  head{i)  Ak  =  tail{i) 
Moreover,  if  i  ^  0,  head{i)  G  Is  nnd  tail{i)  is  a  shorter  index  than  i. 


(18) 


Define  /  :  Ig'  — t  IsG  by 


/(*)  = 


( 


0 

head{i) .  f{tail{i)) 


ifi  =  0 
otherwise 


and  g  :  IsG  -t  Ig'  by 


g{io- •  •  •  ■in)  =  (io  •  (•  •  •  {in-\  •in)-' ')) 
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Note  that  /  transforms  pairs  of  sequences  into  sequences  of  pairs.  Clearly  f{i)  G  IsG  for  i  G  Iq' 
g{i)  G  Ig'  for  i  ^  IsG-  Further  g  is  the  inverse  of  /  by  (18),  and  hence  /  is  bijective.  The  bijectivity 
of  /  together  with  the  limited  injectivity  of  /'  establishes  the  “moreover”  part  of  the  lemma. 

We  now  proceed  to  prove 

a\p]  ot\p] 

G'  \-  E  — >  i  E'  S  +  IMARsg  F  E  — >  E 

by  structural  induction  on  i.  In  case  i  =  0  (the  induction  base)  E  must  be  summation-free  and  there 
is  almost  no  difference  between  the  generative  and  stratified  (=nonprobabilistic)  inference  rules, 
and  the  statement  holds.  In  case  i  7^  0  we  again  use  induction  on  the  depth  of  derivation  trees, 
albeit  modified  ones.  Here  the  modification  of  a  derivation  tree  consists  of  removing  all  ancestors 
of  transitions  from  summation  expressions,  and  the  modification  of  an  5  +  IMAR5G  derivation  tree 
consists  of  erasing  any  subtree  ending  with  a  clause  that  is  used  as  the  second  argument  in  an 
application  of  IMARsg-  Moreover,  the  remaining  application  of  IMARsg  doesn’t  count.  We  now 
use  the  notation  to  refer  to  the  depth  of  modified  derivations,  and  prove 

alp]  ct\p] 

G'^nE  E^  ^  S  +  lMARsG^nE  E^ 

by  induction  on  n.  We  distinguish  several  cases,  depending  on  the  topmost  operator  of  E.  Asi  ^0 
this  operator  cannot  be  action  prefixing. 

EO^[p]  ^[9] 

\pi]  Ei - E'  iff  G  h  Ej - >k  E  and  p  =  Pj  ^  q 

iei 

a[g] 

iflF  S'  +  IMAR5G  1“  Ej - E'  and  p-Pj-q  (by  induction  {k  <  j.k)) 

Ea[p]  v™'  Pj 

\pi]Ei - E'  (since  5  hi  2^  \pi]Ei  \ - >j  Ej). 

iel 

(a,j9)[r] 

Product:  In  case  i  ^  j\  G'  E  x  F - E”  x  F" 

a[p]  P[q] 

iff  G'  h„  E - >i  E",  F - >j  F"  and  p-q  =  r 

a[p]  P\(i\ 

iff  5  +  IMARsg  h„  E - >•/(,)  E'\  F - >fQ)  F"  and  p-q  =  r  (by  induction) 

iff  S  y~ ji  E  I  ^head{i)  E  <  F  I  ^head{j)  E  ; 

«[P2]  PIQ2] 

5  + IMARsg  bF'  — E\  F'  — fitaiiU))  E^  and  pi  *^2  •  gi  *  ^2  =  r 

iff  S  ji  E  I  ^head{i)  E  ,  F  f  ^head(j)  E  , 

a[p2]  ^[^2] 

G'V-E'  — >  E",  F'  — >  taiiU)  E"  and  Pi- P2- qi  ■  q2  =  r  (by  induction) 

iff  S  h ji+l  E  X  F  I  ^(head(i),head{j))  E  X  F  , 

(a,0)[r2] 

G'\-  E'  X  F' - >taii{i,3)  E"  X  F"  and  n  •  r2  =  r 

iff  S  h ji+i  E  X  F  I  ^head{i,j)  E  X  F  , 

(o:,/9)[r2] 

S  +  IMARsg  E'  x  F' - > f(tail{i,j})  E"  x  F"  and  n  •  r2  =  r  (by  induction) 

{a,f3)[r] 

iff  5  + IMARsg  h„+i£;xF - E"xF". 
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In  case  i  ^0  =  j:  G'  hn+i  E  x  F - ^ - >-(j,o)  E"  x  F" 

iff  G'hnE — E",  F — ^^^0  E" 

iff  S  +  lMARsG^nE—^^f^i)  E",  F - F"  (by  induction) 


iff  S\-nE  I - >head(i)  E\  F - > 

Q.\T’2\ 

S  +  IMARsg^E' - >f{taii(i))  E",  F 


^0  F"  and  ri  •  r2  =  r 


iff  S\-nE 
G'\-E' 


^head{i)  F  ,  F 

rpN  rp  _ 

il(i'\  ■C'  ,  -c  — 


F"  and  ri  •  r2  =  r  (by  induction) 


iff  S  hn+l  Ex  F  I - - >ihead(i),0)  E'  X  F, 

(q  /5)[7'2] 

G''rE'  xF  — ^ - haa{i,Q)  E"  X  F"  and  ri  •  r2  =  r 

iff  S  l-„+i  ExF  I - - >head[ifi)  E'  X  F, 

S  +  IMARsg  E'  xF  E"  X  F"  and  ri  •  r2  =  r  (by  induction) 

(a,j0)[r] 

iff  5  +  IMARsg  Hn+i  F  X  F - )-/(i,o)  E"  x  F" . 

The  case  i  =  0  7^  j  is  symmetric. 


Relabeling:  G'  \-n+i  E[f] - E"[f] 

Pip] 

iff  G'  \-n  E - H  E"  and  f{l3)  =  a 

iff  5  + IMARsg  ^-nF — E"  and  f{P)  =  a  (by  induction) 

iff  S\-nE  ^headii)  E\  S +  lUARsG^  E'  ^  E" ,  Pi '  P2  =  P  and  /(/?)  =  « 

iff  5I-„F  H^w(i)  F',  G'\-E'  ^  tail{i)E",  Pi-P2=P  and  /(/?)  =  «  (by  induction) 

q[P2] 

iff  S  l”„+i  E[f]  ‘-^/lead(i) ^  ^^[f]  ^  tail(i)^  [/]>  Pi  '  P2  ^  P 

'  '  C^[p2] 

iff  S\-n+iE[f]^head{e,EVl  5  +  IMARsG  H  F'[/]  ^ /(toi,(i))  F"[/],  Pi-P2=p  (ind.) 

a\p] 

iff  5  + IMARsg  i-n+iF[/] - >f(i)  F"[/]. 


Recursion:  G'  fixxE - H  1 

a\p] 

iff  G'  \-n  E{fixxE/X} - H 

iff  5  +  IMARsg  ^“n  E{fixxE/ X} 


■f^i)  E"  (by  induction) 
a[p2] 


iff  5 1-„  E{fixxElX}  ^headii)  E',  5+IMARsg  H  F'  — 
iff  S  hji+i  fixxE  ^^head(i)  F',  S  +  IMARsg  1“  F' 

a\p] 

iff  5  + IMARsg  H„+iyix;fF - ^/(i)  E". 


— >f{tail(i))  E"  andprP2=P 
f{taii{i))  E"  and  pi-p2=P 


As  an  immediate  consequence  of  this  lemma,  we  obtain  the  following  commutativity  result: 


31 


Theorem  11  (Commutativity)  Let  P  £  Pr  be  restriction-free.  Then  ipsoi^siP))  =  ‘fioiP)- 

S  Gf 

Corollary  12  Let  P,Q  £Pr  be  restriction-free  PCCS  processes.  Then  P  Q  ^  P  ^  Q. 

Proof:  Theorem  10  says  that  P  ^  Q  ^  P  Q  for  P,Q  €  Pr.  Theorem  11  (or  Lemma  2)  implies 
HoiP,  a,  -S')  =  fisaiP, S)  and  hence  P  ~  P  ??  Q  for  restriction-free  P,Q  ePr.  □ 

Theorem  11  does  not  hold  for  arbitrary  PCCS  processes.  Consider  the  process 

P=  ia.0-h|(i6.0-t-^c.0)r{a,6} 

(paiP)  is  equal  to  .  0  -I-  ^6 . 0  while  <Psg{^s{P))  is  equal  to  .  0  -t-  §6 . 0. 

This  counterexample  can  be  easily  extended  so  to  apply  to  Corollary  12  as  well. 

However,  Theorem  11  and  Corollary  12  do  hold  for  summation-guarded  PCCS  processes  with 
restriction.  The  reason  is  that  for  those  processes  there  is  hardly  any  difference  between  the 
generative  and  stratified  models.  It  suffices  to  extend  Lemma  2  to  this  case. 

Lemma  3  Lemma  2  also  holds  for  summation-guarded  PCCS  expressions. 

Proof:  It  suffices  to  add  the  case  for  restriction  to  the  proof  of  Lemma  2.  Check  that  the  remark 
concerning  the  induction  base  still  holds.  For  the  induction  step  we  use  that  in  the  stratified  model, 
if  E  is  summation-guarded  and  E  E',  then  E'  is  an  action  process.  This  can  be  inferred  by 

a  straightforward  induction  on  stratified  derivations.  It  follows  that  uo{E,A)  =  1/5 (P,  A). 

a\p] 

Restriction:  l“n+i  E[A - >i  E”  ["A 

a[p'i/G{E,A)] 

iff  G'  \-n  E  - >  i  E”  and  ae  A 

ol\jP'Vq{E  .,Ay[ 

iff  5  +  IMAR5G  E  - /(i)  E”  and  ae  A  (by  induction) 

iff  5  l-„  P  \  E',  fitailii))  =0,  S\-E'-%  E"  and  a  6  A 

«  a[l] 

iff  5f-„+iPM  ^headii)  E'\A,  S-^IUARsg^  E'  — >  fitailii))  E"  and  oGA 

afp]  . 

iff  5  +  IMAR5Gl-„+iPrA - ^/(i)  E"\A.  □ 

Finally,  we  show  that  the  equivalence  induced  on  the  stratified  model  by  generative  bisim¬ 
ulation  is  not  a  congruence  for  restriction.  Consider  processes  Sc  and  Scf  oi  Section  1  (the 
scheduler  specifications).  We  have  ‘Psg{‘Ps{Sc))  ~  TSGiTs{Sc'))  but,  as  discussed  in  Section  1, 
¥’SG(<^5(5'cf'{a,6}))  ^  <Psg{'Ps{Sc!  ['{a,  6})). 

7.3  The  Stratified  to  Reactive  Abstraction 

Let  P,  P'  be  PCCS  expressions.  Then  IMARs/j  is  given  by 

a  "Id 

E - >  E'  ^  E  c — E’ 
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ot[q] 

E  hAi  E'  c — yj  E" 


E  ^ - H.j  E" 


This  inter-model  abstraction  rule  defines  a  mapping  ipsR  '■  -t  Like  the  composed  map¬ 
ping  ipGR  o  (PSG  ■  <Els  -t  ^R,  ^SR  flattens  trees  of  probability  transitions  with  action  transitions  at 
the  leaves  into  a  single-level  structure,  and  normalizes  the  probabilities  to  yield  a  reactive  transi¬ 
tion  system.  However,  whereas  <pgr  °  VSG  first  flattens  and  then  normalizes,  <psR  performs  these 
operations  interactively.  PVom  the  proof  of  Lemma  3  it  follows  that  for  summation-guarded  PCCS 
expressions  there  is  no  difference  between  both  approaches.  But  in  general  the  two  mappings  are 
different,  as  will  be  demonstrated  at  the  end  of  this  section. 


Theorem  13  (Abstraction)  Let  G,H  e  (Bs-  Then  G  ^  H  ^  V>sr{G)  ~  ^sr{H). 


Proof:  Combine  the  proofs  of  Theorems  10  and  7.  (It  doesn’t  suflfice  to  combine  just  the  theorems 
themselves  since  ^pgr  °  Psg{G)  ^  ^sr{G)  for  an  arbitrary  stratified  transition  system  G).  D 


Theorem  14  (Commutativity)  Let  P  G  PrR.  Then  <Psr{ts{P))  —  Tr{P)- 

Proof:  We  proceed  along  the  lines  of  the  proof  of  Theorem  11  (i.e.  Lemma  2),  substituting  Rs  for 
G’s,  but  with  the  following  modifications  in  the  cases  for  the  topmost  operator  of  E. 

0([5] 

Summation:  p  =  Pj  ■  q/t  where  r  =  ^  {|pi  |  Ei  >i  E"^  =  usi  2^  [Pi]  Ei,  {ct})- 

»e/ 

Product:  In  case  i  /  0  ^  j:  pi  •  P2  '  Qi  ^  Q2  =  ‘  ^5(^5  {<^})  ’  {/?})  —  t  ■  vs{E  x  F,  {(«,/?)}) 

and  ri  •  r2  =  r  •  vs{E  x  F,  {(a,  /?)}). 

In  case  i  0  =  ri  •  r2  =  r  •  vs{E^  {a})  =  r  *  us{E  x  F,  {(a, /?)}). 

«[p]  . 

Restriction:  R\-ti-\-iE\A  ^ - - - >i  E^^[A 

a\p] 

iff  F'  Hn  E  F"  and  ae  A 

a\p] 

iff  S  +  lMARsR\-nE  ^ - >/(i)  E"  and  aGA  (by  induction) 

a[p2] 

iff  S\-nE  ^head{i)E',  S +  1MARsr  he'  c — yf{taii(i))  E" ,  PrP2  =p-usiE,  {a})  and  a  €  A 

Oi\p2] 

iff  S\-nE^head{i)E\  E  H E' E",  pv P2  =  P ' ME ,  {c^})  and  ogA  (induction) 
iff  5H„+iErA  EHE'|'A<^tai,(i)E"|’A  and  n  ■  P2  =  P  • 

Ot[p2] 

iff  Shn-^iE[A^Head{i)E'U,  S+IMARs^hF' U  ^ F"  U,  rrP2=P'ME  lA  {a}) 

«[p] 

iff  5-I-IMARsrH„+iE|'A  c - E"rA. 

Relabeling:  This  case  does  not  apply  as  E  is  a  PCCSit  expression. 

Recursion:  pi  •P2  =  P'  I'siEifixxE/X},  {o})  =  p  ■  usifixxE,  {a}). 
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Corollary  15  Let  P,Q  &  Ptr.  Then  P  ~  Q  P  ~  Q. 

By  means  of  the  same  counterexample  that  we  used  at  the  end  of  Section  7.1,  one  shows 
that  the  equivalence  induced  on  the  stratified  model  by  reactive  bisimulation  through  ipsR  is  not 
a  congruence  for  relabeling.  As  a  consequence,  no  compositional  definition  of  relabeling  in  the 
reactive  model  is  possible  that  allows  a  generalization  of  Theorem  14. 

The  corresponding  counterexample  for  summation  is  also  valid  for  <fGR  °  ^SGi  but  not  for  (psR 
(in  fact,  it  couldn’t  be,  by  Theorems  14  and  4).  Hence  these  two  mappings  are  different.  It  appears 
that  ^sR  preserves  some  of  the  stratified  fiavor  of  nested  PCCS  summations,  which  is  lost  by 
TGR  o  TSG- 


7.4  The  Probabilistic  to  Nonprobabilistic  Abstraction 

Let  E,E'  be  PCCS  expressions.  Then  IMAR5iv  is  given  by 

E  E'-^  E"  E-%  E" 

Similarly  IMARgtv  and  IMARij^v  are  given  by 

ot\p]  a 

E  — >i  E'  E  — >  E' 

“b]  ,  a  , 

E  c — E'  E  — >  E' 

These  inter-model  abstraction  rules  simply  throw  away  all  probabilities.  It  is  comparatively 
straightforward  to  establish  the  remaining  commutativity  results  announced  in  the  introduction. 

Theorem  16  (Abstraction)  Let  G,H  G  Then  G  ^  H  <Prn{G)  ~  (Prn{H). 


Proof:  Following  the  idea  of  the  previous  abstraction  proofs,  we  show  that  a  reactive  bisimulation 
on  Ptr  is  also  a  nonprobabilistic  bisimulation  (with  respect  to  the  transitions  derivable  from 
R  -f  IMARfliv,  but  by  commutativity  these  are  the  same  as  the  ones  derivable  from  N).  This 
follows  as  pjv  is  completely  determined  by  fj,R,  namely 


/^iv(-P)«)  S) 


0  if  fiR{P,  a,S)=0 
1  if  fJ,R{P,  a,S)  >0 


□ 


As  before,  the  general  (semantic)  case  can  be  obtained  in  the  same  way,  after  defining  the 
involved  bisimulations  on  the  (semantic)  transition  system  domains.  Generative  or  stratified  to 
nonprobabilistic  abstraction  results  can  also  be  proved  likewise,  but  these  follow  already  by  com¬ 
bination  with  the  previous  abstraction  results. 
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8  Conclusions  and  Open  Problem 

In  this  paper  we  have  presented  a  variety  of  congruence,  commutativity,  and  abstraction  results 
that  carefully  interrelate  the  reactive,  generative,  and  stratified  models  of  probabilistic  processes. 
In  so  doing,  we  have  seen  that  generative  bisimulation  (~)  is  not  a  congruence  in  the  stratified 
model,  while  stratified  bisimulation  is.  However,  is  not  the  largest  congruence  contained  in 
£  (it  is  too  fine).  For  example,  consider  P  =  [l][l]o.O  and  Q  =  [l]a.O.  We  have  ips{P)  ^  ^s{Q) 
yet  tpsG{^s{C[P]))  ~  fpsG{vs{C[Q])):  for  any  context  C[]. 

It  is  interesting,  therefore,  to  ask  what  is  the  largest  congruence  contained  in  We  can  show 
that,  in  terms  of  its  distinguishing  strength,  the  following  equivalence  relation  falls  strictly  between 
S  and  ~,  and  is  still  a  congruence  in  the  stratified  model. 

Definition  8  An  equivalence  relation  TlQPrxPr  is  a  mixed  bisimulation  if  {P,  Q)  eU  implies 
V5  G  Pr/n, 

•  ps{P,*,S)  —  if  both  P  and  Q  are  probability  processes 

•  and  Va  G  Act,  p,sG{P^  o:,  5)  =  psg{Qi  o;,  S) 

Two  processes  P,  Q  are  mixed  bisimulation  equivalent  (written  P  ~  Q)  if  there  exists  a  mixed 
bisimulation  1Z  such  that  (P,  Q)  G  P. 

Mixed  bisimulation  essentially  allows  an  a-transition  in  one  process  to  be  matched  by  an  a- 
transition  preceded  by  a  number  of  probability-1  transitions  in  the  other  process  (the  second  clause). 
At  the  same  time,  probability-1  transitions  at  other  places  may  be  significant  in  a  product  context, 
and  must  therefore  be  taken  into  account  (the  first  clause).  We  close  with  the  following: 

Conjecture  (Full  Abstraction)  In  the  stratified  model,  ~  is  the  largest  congruence  contained 

.  G 

m 
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